Ensure that GKE Metadata Server is enabled for your Google Kubernetes Engine (GKE) cluster nodes to enhance security by restricting workload access to sensitive instance information. The GKE Metadata Server feature requires Workload Identity for improved authentication and authorization.
PoC代码[已公开]
id: gcloud-gke-metadata-server-disabled
info:
name: GKE Clusters Without Metadata Server Enabled
author: princechaddha
severity: medium
description: |
Ensure that GKE Metadata Server is enabled for your Google Kubernetes Engine (GKE) cluster nodes to enhance security by restricting workload access to sensitive instance information. The GKE Metadata Server feature requires Workload Identity for improved authentication and authorization.
impact: |
Without GKE Metadata Server enabled, pods have unrestricted access to the node's underlying metadata server, which contains sensitive information including kubelet credentials and VM instance identity tokens.
remediation: |
Enable GKE Metadata Server for your cluster node pools using:
gcloud container node-pools update POOL_NAME --cluster=CLUSTER_NAME --workload-metadata-from-node=GKE_METADATA
reference:
- https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/GKE/enable-metadata-server.html
tags: cloud,devops,gcp,gcloud,gke,kubernetes,security,metadata,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let cluster of iterate(template.clusters)){
cluster = JSON.parse(cluster)
set("clusterName", cluster.name)
set("location", cluster.location)
code(3)
for(let nodePool of iterate(template.nodePools)){
nodePool = JSON.parse(nodePool)
set("nodePoolName", nodePool.name)
code(4)
}
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud container clusters list --project $projectId --format="json(name,location)"
extractors:
- type: json
name: clusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
gcloud container node-pools list --cluster $clusterName --location $location --project $projectId --format="json(name)"
extractors:
- type: json
name: nodePools
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
gcloud container node-pools describe $nodePoolName --cluster $clusterName --location $location --project $projectId --format="value(config.workloadMetadataConfig)"
matchers:
- type: word
words:
- "GCE_METADATA"
extractors:
- type: dsl
dsl:
- '"Node pool " + nodePoolName + " in GKE cluster " + clusterName + " (" + location + ") of project " + projectId + " does not have GKE Metadata Server enabled"'
# digest: 4a0a004730450220032973e1d5cfb3eca87da458a87738a9748b47831c57c591fb6536e4fbd9ec2a022100ce340afdf94700b4d0ec9782cc9a4bb462793479ed15dee0bdc4b1e2027b5d32:922c64590222798bb761d5b6d8e72950