workload_metadata_config block within
node_config is included, the
node_metadata attribute should be configured securely.
The attribute should be set to
SECURE to use metadata concealment, or
GKE_METADATA_SERVER if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.
Metadata that isn’t concealed potentially risks leakage of sensitive data
Set node metadata to SECURE or GKE_METADATA_SERVER
The following example will fail the google-gke-node-metadata-security check.
The following example will pass the google-gke-node-metadata-security check.