Link Search Menu Expand Document

Node metadata value disables metadata concealment.

Explanation

If the workload_metadata_config block within node_config is included, the node_metadata attribute should be configured securely.

The attribute should be set to SECURE to use metadata concealment, or GKE_METADATA_SERVER if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.

Insecure Example

The following example will fail the GCP006 check.

resource "google_container_node_pool" "gke" {
	node_config {
		workload_metadata_config {
			node_metadata = "EXPOSE"
		}
	}
}

Secure Example

The following example will pass the GCP006 check.

resource "google_container_node_pool" "gke" {
	node_config {
		workload_metadata_config {
			node_metadata = "SECURE"
		}
	}
}