Ensure Kubernetes Engine Clusters legacy compute engine metadata endpoints are disabled
Google Kubernetes Engine (GKE) clusters should have legacy compute engine metadata endpoints disabled. Instance metadata should be protected from workloads running on the cluster. Legacy metadata APIs exposes instance metadata of server endpoints. It is recommended to disable the legacy API and use v1 APIs (which do not expose the metadata), to protect instance metadata from breaches.
Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.18
Covered by Spectral: No
Category: Compute
GSL LOGIC
GkeCluster should have nodePools contain [ config.metadata.disable-legacy-endpoints = true ]
REMEDIATION
Note: You can disable legacy metadata APIs only by creation of a new cluster, or by addition of a new node pool to an existing cluster.
To fix this issue, create a new GKE cluster with legacy metadata APIs disabled, migrate all required data from the reported cluster to the newly created cluster before you delete the reported GKE cluster.
To create new Kubernetes engine cluster with legacy compute engine metadata endpoints disabled:
From Portal
- Navigate to the 'Kubernetes Engine', and select 'Clusters'
- Click on Create cluster
- Under the Node pools section, click on 'Metadata'
- On 'GCE instance metadata' section, click 'Add metadata'
- Add 'disable-legacy-endpoints' as a metadata key and 'true' as a metadata value
From TF
Set the 'disable-legacy-endpoints' to be 'true':
resource "google_container_cluster" "primary" {
name = NAME
location = LOCATION
initial_node_count = 3
...
node_config {
metadata = tomap({"disable-legacy-endpoints"="true"})
...
From Command Line
Run
gcloud container clusters create CLUSTER_NAME --zone COMPUTE_ZONE --metadata=disable-legacy-endpoints=true
To delete reported Kubernetes engine cluster:
From Portal
- Go to the Google Kubernetes Engine page in Cloud Console. https://console.cloud.google.com/kubernetes/list
- Next to the cluster you want to delete, click 'Actions', then click 'Delete'.
- When prompted to confirm, click Delete again.
From Command Line
Run
gcloud container clusters delete CLUSTER_NAME
References
- https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
- https://cloud.google.com/kubernetes-engine/docs/how-to/deleting-a-cluster#gcloud
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster
Kubernetes Cluster
Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.
Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CloudGuard Best Practices
- GCP NIST 800-53 Rev 5
Updated over 1 year ago