GCP006 - Node metadata value disables metadata concealment.

Written by tfsec

Explanation

If the workload_metadata_config block within node_config is included, the node_metadata attribute should be configured securely.

The attribute should be set to SECURE to use metadata concealment, or GKE_METADATA_SERVER if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.

Insecure Example

The following example will fail the GCP006 check.

resource "google_container_node_pool" "bad_example" {
	node_config {
		workload_metadata_config {
			node_metadata = "EXPOSE"
		}
	}
}

Secure Example

The following example will pass the GCP006 check.

resource "google_container_node_pool" "good_example" {
	node_config {
		workload_metadata_config {
			node_metadata = "SECURE"
		}
	}
}

Related Links

• https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#create-concealed

• https://www.terraform.io/docs/providers/google/r/container_cluster.html#node_metadata

---