The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers.
This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata.
Unless specifically required, we recommend you disable these legacy APIs.
When setting the
metadata block, the default value for
disable-legacy-endpoints is set to true, they should not be explicitly enabled.
Legacy metadata endpoints don’t require metadata headers
Disable legacy metadata endpoints
The following example will fail the google-gke-metadata-endpoints-disabled check.
The following example will pass the google-gke-metadata-endpoints-disabled check.