GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Ensure The GKE Metadata Server Is Enabled
More Info:
Running the GKE Metadata Server prevents workloads from accessing sensitive instance metadata and facilitates Workload Identity
Risk Level
Low
Address
Security, Reliability, Operational Excellence, Performance Efficiency
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using GCP console, follow the below steps:
- Go to the Google Kubernetes Engine (GKE) cluster in the GCP console.
- Click on “Edit” button at the top of the page.
- Scroll down to the “Security” section.
- Ensure that “Enable metadata concealment” is unchecked.
- Click on “Save” button at the bottom of the page.
By following these steps, you will remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using GCP console.
To remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using GCP CLI, you can follow the below steps:
-
Open the Cloud Shell in the GCP Console.
-
Run the following command to enable the GKE Metadata Server:
gcloud container clusters update CLUSTER_NAME --enable-metadata-concealment=false
Replace CLUSTER_NAME with the name of your GKE cluster.
- Verify that the GKE Metadata Server is enabled by running the following command:
gcloud container clusters describe CLUSTER_NAME --format="value(masterAuth.clusterCaCertificate)"
If the output shows a valid cluster certificate, then the GKE Metadata Server is enabled.
- Repeat the above steps for all the GKE clusters in your GCP project.
By following the above steps, you can successfully remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using Python, follow these steps:
- Install the required Python libraries:
pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-container
- Authenticate with GCP:
from google.oauth2 import service_account
from google.cloud import container_v1
credentials = service_account.Credentials.from_service_account_file('<path-to-service-account-key.json>')
client = container_v1.ClusterManagerClient(credentials=credentials)
- Get the cluster:
project_id = '<your-project-id>'
zone = '<your-zone>'
cluster_id = '<your-cluster-id>'
cluster = client.get_cluster(project_id, zone, cluster_id)
- Check if the GKE Metadata Server is enabled:
if cluster.private_cluster_config.enable_private_endpoint:
print('GKE Metadata Server is already enabled')
else:
print('GKE Metadata Server is not enabled')
- Enable the GKE Metadata Server:
cluster.private_cluster_config.enable_private_endpoint = True
update_request = container_v1.types.UpdateClusterRequest(
project_id=project_id,
zone=zone,
cluster_id=cluster_id,
update=cluster,
)
operation = client.update_cluster(update_request)
print('Waiting for operation to complete...')
operation.result()
print('GKE Metadata Server has been enabled')
Note: Make sure to replace <path-to-service-account-key.json>, <your-project-id>, <your-zone>, and <your-cluster-id> with the appropriate values.