Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.18
Covered by Spectral: No
Category: Compute

GSL LOGIC

GkeCluster should have nodePools contain [ config.metadata.disable-legacy-endpoints = true ]

REMEDIATION

Note: You can disable legacy metadata APIs only by creation of a new cluster, or by addition of a new node pool to an existing cluster.
To fix this issue, create a new GKE cluster with legacy metadata APIs disabled, migrate all required data from the reported cluster to the newly created cluster before you delete the reported GKE cluster.

To create new Kubernetes engine cluster with legacy compute engine metadata endpoints disabled:
From Portal

Navigate to the 'Kubernetes Engine', and select 'Clusters'
Click on Create cluster
Under the Node pools section, click on 'Metadata'
On 'GCE instance metadata' section, click 'Add metadata'
Add 'disable-legacy-endpoints' as a metadata key and 'true' as a metadata value

From TF
Set the 'disable-legacy-endpoints' to be 'true':

resource "google_container_cluster" "primary" {
	name               = NAME
	location           = LOCATION
	initial_node_count = 3
	...
	node_config {
		metadata = tomap({"disable-legacy-endpoints"="true"})
		...

From Command Line
Run

gcloud container clusters create CLUSTER_NAME --zone COMPUTE_ZONE --metadata=disable-legacy-endpoints=true

To delete reported Kubernetes engine cluster:
From Portal

Go to the Google Kubernetes Engine page in Cloud Console. https://console.cloud.google.com/kubernetes/list
Next to the cluster you want to delete, click 'Actions', then click 'Delete'.
When prompted to confirm, click Delete again.

From Command Line
Run

gcloud container clusters delete CLUSTER_NAME

References

https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
https://cloud.google.com/kubernetes-engine/docs/how-to/deleting-a-cluster#gcloud
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CloudGuard Best Practices
GCP NIST 800-53 Rev 5