GCP Kubernetes cluster shielded GKE node with Secure Boot disabled

Description

Enable Secure Boot for Shielded GKE Nodes to verify the digital signature of node boot components. An attacker may seek to alter boot components to persist malware or root kits during system initialization. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.

Code Example

resource "google_container_cluster" "success" {
  name               = var.name
  
  ...
  node_config {
    workload_metadata_config {
      node_metadata = "GKE_METADATA_SERVER"
    }
    shielded_instance_config {
-     enable_secure_boot = false
    }
  }

Remediation

Terraform

Resource: google_container_cluster / google_container_node_pool
Arguments: node_config.shielded_instance_config.enable_secure_boot

Rule Details

Field	Value
ID	IAC-0926
Severity	LOW
IaC Type	Terraform
Frameworks	Terraform, TerraformPlan
Checkov ID	CKV_GCP_68

References

Checkov Rule

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

GCP Kubernetes cluster shielded GKE node with Secure Boot disabled

Description

Code Example

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

GCP Kubernetes cluster shielded GKE node with Secure Boot disabled ​

Description ​

Code Example ​

Remediation ​

Rule Details ​

References ​

GCP Kubernetes cluster shielded GKE node with Secure Boot disabled

Description

Code Example

Remediation

Rule Details

References