node-metadata-security
Default Severity: high
Explanation
If the workload_metadata_config
block within node_config
is included, the node_metadata
attribute should be configured securely.
The attribute should be set to SECURE
to use metadata concealment, or GKE_METADATA_SERVER
if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.
Possible Impact
Metadata that isn't concealed potentially risks leakage of sensitive data
Suggested Resolution
Set node metadata to SECURE or GKE_METADATA_SERVER
Insecure Example
The following example will fail the google-gke-node-metadata-security check.
resource "google_container_node_pool" "bad_example" {
node_config {
workload_metadata_config {
node_metadata = "EXPOSE"
}
}
}
Secure Example
The following example will pass the google-gke-node-metadata-security check.
resource "google_container_node_pool" "good_example" {
node_config {
workload_metadata_config {
node_metadata = "SECURE"
}
}
}