GCP Kubernetes cluster shielded GKE node with integrity monitoring disabled
Description
Enable Integrity Monitoring for Shielded GKE Nodes to be notified of inconsistencies during the node boot sequence. Integrity Monitoring provides active alerting for Shielded GKE nodes which allows administrators to respond to integrity failures and prevent compromised nodes from being deployed into the cluster.
Code Example
go
resource "google_container_cluster" "fail" {
name = var.name
location = var.location
initial_node_count = 1
project = data.google_project.project.name
node_config {
shielded_instance_config {
- enable_integrity_monitoring = false
}
}Remediation
Terraform
- Resource: google_container_cluster / google_container_node_pool
- Arguments: node_config.shielded_instance_config.enable_integrity_monitoring
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0930 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_72 |