Ensure The GKE Metadata Server Is Enabled
More Info:
Running the GKE Metadata Server prevents workloads from accessing sensitive instance metadata and facilitates Workload IdentityRisk Level
LowAddress
Security, Reliability, Operational Excellence, Performance EfficiencyCompliance Standards
CISGKETriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using GCP console, follow the below steps:
- Go to the Google Kubernetes Engine (GKE) cluster in the GCP console.
- Click on “Edit” button at the top of the page.
- Scroll down to the “Security” section.
- Ensure that “Enable metadata concealment” is unchecked.
- Click on “Save” button at the bottom of the page.
Using CLI
Using CLI
To remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using GCP CLI, you can follow the below steps:Replace If the output shows a valid cluster certificate, then the GKE Metadata Server is enabled.
- Open the Cloud Shell in the GCP Console.
- Run the following command to enable the GKE Metadata Server:
CLUSTER_NAME with the name of your GKE cluster.- Verify that the GKE Metadata Server is enabled by running the following command:
- Repeat the above steps for all the GKE clusters in your GCP project.
Using Python
Using Python
To remediate the misconfiguration “Ensure The GKE Metadata Server Is Enabled” for GCP using Python, follow these steps:Note: Make sure to replace
- Install the required Python libraries:
- Authenticate with GCP:
- Get the cluster:
- Check if the GKE Metadata Server is enabled:
- Enable the GKE Metadata Server:
<path-to-service-account-key.json>, <your-project-id>, <your-zone>, and <your-cluster-id> with the appropriate values.