Skip to content

node-metadata-security

Explanation

If the workload_metadata_config block within node_config is included, the node_metadata attribute should be configured securely.

The attribute should be set to SECURE to use metadata concealment, or GKE_METADATA_SERVER if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.

Possible Impact

Metadata that isn't concealed potentially risks leakage of sensitive data

Suggested Resolution

Set node metadata to SECURE or GKE_METADATA_SERVER

Insecure Example

The following example will fail the google-gke-node-metadata-security check.

resource "google_container_node_pool" "bad_example" {
    node_config {
        workload_metadata_config {
            node_metadata = "EXPOSE"
        }
    }
}

Secure Example

The following example will pass the google-gke-node-metadata-security check.

resource "google_container_node_pool" "good_example" {
    node_config {
        workload_metadata_config {
            node_metadata = "SECURE"
        }
    }
}