GCP Kubernetes cluster Shielded GKE Nodes feature disabled
Description
Shielded GKE Nodes provides verifiable integrity via secure boot, virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. Shielded GKE nodes protects clusters against boot- or kernel-level malware or rootkits which persist beyond infected OS. Shielded GKE nodes run firmware which is signed and verified using Google's Certificate Authority, ensuring that the nodes' firmware is unmodified and establishing the root of trust for Secure Boot. GKE node identity is strongly protected via virtual Trusted Platform Module (vTPM) and verified remotely by the master node before the node joins the cluster. Lastly, GKE node integrity (i.e., boot sequence and kernel) is measured and can be monitored and verified remotely.
Code Example
{
"resource "google_container_cluster" "success" {
name = var.name
location = var.location
initial_node_count = 1
project = data.google_project.project.name
+ enable_shielded_nodes = true
}
",
}Remediation
Terraform
- Resource: google_container_cluster
- Arguments: enable_shielded_nodes
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0929 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_71 |