More Info:

Running the GKE Metadata Server prevents workloads from accessing sensitive instance metadata and facilitates Workload Identity

Risk Level

Low

Address

Security, Reliability, Operational Excellence, Performance Efficiency

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using GCP console, follow the below steps:
  1. Go to the Google Kubernetes Engine (GKE) cluster in the GCP console.
  2. Click on “Edit” button at the top of the page.
  3. Scroll down to the “Security” section.
  4. Ensure that “Enable metadata concealment” is unchecked.
  5. Click on “Save” button at the bottom of the page.
By following these steps, you will remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using GCP console.

To remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to enable the GKE Metadata Server:
gcloud container clusters update CLUSTER_NAME --enable-metadata-concealment=false
Replace CLUSTER_NAME with the name of your GKE cluster.
  1. Verify that the GKE Metadata Server is enabled by running the following command:
gcloud container clusters describe CLUSTER_NAME --format="value(masterAuth.clusterCaCertificate)"
If the output shows a valid cluster certificate, then the GKE Metadata Server is enabled.
  1. Repeat the above steps for all the GKE clusters in your GCP project.
By following the above steps, you can successfully remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using Python, follow these steps:
  1. Install the required Python libraries:
pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-container
  1. Authenticate with GCP:
from google.oauth2 import service_account
from google.cloud import container_v1

credentials = service_account.Credentials.from_service_account_file('<path-to-service-account-key.json>')
client = container_v1.ClusterManagerClient(credentials=credentials)
  1. Get the cluster:
project_id = '<your-project-id>'
zone = '<your-zone>'
cluster_id = '<your-cluster-id>'

cluster = client.get_cluster(project_id, zone, cluster_id)
  1. Check if the GKE Metadata Server is enabled:
if cluster.private_cluster_config.enable_private_endpoint:
    print('GKE Metadata Server is already enabled')
else:
    print('GKE Metadata Server is not enabled')
  1. Enable the GKE Metadata Server:
cluster.private_cluster_config.enable_private_endpoint = True

update_request = container_v1.types.UpdateClusterRequest(
    project_id=project_id,
    zone=zone,
    cluster_id=cluster_id,
    update=cluster,
)

operation = client.update_cluster(update_request)

print('Waiting for operation to complete...')
operation.result()

print('GKE Metadata Server has been enabled')
Note: Make sure to replace <path-to-service-account-key.json>, <your-project-id>, <your-zone>, and <your-cluster-id> with the appropriate values.

Additional Reading: