Node metadata value disables metadata concealment.
Explanation
If the workload_metadata_config
block within node_config
is included, the node_metadata
attribute should be configured securely.
The attribute should be set to SECURE
to use metadata concealment, or GKE_METADATA_SERVER
if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.
Insecure Example
The following example will fail the GCP006 check.
resource "google_container_node_pool" "gke" {
node_config {
workload_metadata_config {
node_metadata = "EXPOSE"
}
}
}
Secure Example
The following example will pass the GCP006 check.
resource "google_container_node_pool" "gke" {
node_config {
workload_metadata_config {
node_metadata = "SECURE"
}
}
}