Ensure that your Google Kubernetes Engine (GKE) cluster pool nodes are shielded in order to provide strong cryptographic identity. This limits the ability of an attacker to impersonate a node in your GKE cluster even if the attacker is able to extract the node credentials.
When your GKE cluster pool nodes are not shielded, an attacker can exploit a vulnerability in a Kubernetes Pod to exfiltrate bootstrap credentials and impersonate nodes in your cluster, giving the attacker access to your cluster secrets. When your GKE cluster nodes are shielded, the master node uses a cryptographic check to verify that every node within your cluster is a virtual machine instance running in a Google Cloud data center.
To determine if your Google Kubernetes Engine (GKE) cluster nodes are shielded, perform the following operations:
Remediation / Resolution
To enable Shielded GKE Nodes security feature for your existing Google Kubernetes Engine (GKE) clusters, perform the following operations:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Use Shielded GKE Cluster Nodes
Risk level: Medium