Ensure node metadata is concealed for Google Container Node Pool

LOW

Description

Node metadata is not concealed for Google Container Node Pool. This could lead to sensitive data exposure.

Remediation

Configuring a secure metadata environment will require some prerequisites to be setup. For steps on how to do that, then utilize the metadata environment for a GKE cluster, follow the steps in the GKE documentation below. Once the prerequisites are met, Terraform can also be used.

In Terraform -

In the google_container_node_pool resource, set node_config.workload_metadata_config.node_metadata to SECURE.

References:
https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#node_config
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#nested_node_config

Policy Details

Rule Reference ID: AC_GCP_0295

CSP: GCP

Remediation Available: Yes

Domain: Security Best Practices

Resource: google_container_node_pool

Resource Category: Compute

Resource Type: Google Kubernetes Engine (GKE)

Frameworks

GDPR
NIST-800-53
HIPAA