Ensure Kubernetes Engine Clusters legacy compute engine metadata endpoints are disabled

Google Kubernetes Engine (GKE) clusters should have legacy compute engine metadata endpoints disabled. Instance metadata should be protected from workloads running on the cluster. Legacy metadata APIs exposes instance metadata of server endpoints. It is recommended to disable the legacy API and use v1 APIs (which do not expose the metadata), to protect instance metadata from breaches.

Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.18
Covered by Spectral: No
Category: Compute

GSL LOGIC

GkeCluster should have nodePools contain [ config.metadata.disable-legacy-endpoints = true ]

REMEDIATION

Note: You can disable legacy metadata APIs only by creation of a new cluster, or by addition of a new node pool to an existing cluster.
To fix this issue, create a new GKE cluster with legacy metadata APIs disabled, migrate all required data from the reported cluster to the newly created cluster before you delete the reported GKE cluster.

To create new Kubernetes engine cluster with legacy compute engine metadata endpoints disabled:
From Portal

  1. Navigate to the 'Kubernetes Engine', and select 'Clusters'
  2. Click on Create cluster
  3. Under the Node pools section, click on 'Metadata'
  4. On 'GCE instance metadata' section, click 'Add metadata'
  5. Add 'disable-legacy-endpoints' as a metadata key and 'true' as a metadata value

From TF
Set the 'disable-legacy-endpoints' to be 'true':

resource "google_container_cluster" "primary" {
	name               = NAME
	location           = LOCATION
	initial_node_count = 3
	...
	node_config {
	metadata = tomap({"disable-legacy-endpoints"="true"})
		...

From Command Line
Run

gcloud container clusters create CLUSTER_NAME --zone COMPUTE_ZONE --metadata=disable-legacy-endpoints=true

To delete reported Kubernetes engine cluster:
From Portal

  1. Go to the Google Kubernetes Engine page in Cloud Console. https://console.cloud.google.com/kubernetes/list
  2. Next to the cluster you want to delete, click 'Actions', then click 'Delete'.
  3. When prompted to confirm, click Delete again.

From Command Line
Run

gcloud container clusters delete CLUSTER_NAME

References

  1. https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
  2. https://cloud.google.com/kubernetes-engine/docs/how-to/deleting-a-cluster#gcloud
  3. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CloudGuard Best Practices
  • GCP NIST 800-53 Rev 5