GKE Workload Identity is disabled Affecting Container service in Google

Snyk CCSS

Containers / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM

Snyk ID SNYK-CC-00425
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

The pods may be able to access sensitive information from node's metadata service.

How to fix?

Set workload_metadata_config.node_metadata attribute to GKE_METADATA or set enable_autopilot = true.

Example Configuration

resource "google_container_cluster" "allowed1" {
  name               = "my-cluster"
  location           = "asia-east1"
  initial_node_count = 1

  node_config {
    workload_metadata_config {
      mode = "GKE_METADATA"
    }
    machine_type = "e2-medium"
    disk_size_gb = "10"
  }
  workload_identity_config {
    workload_pool = "test-pool.svc.id.goog"
  }

}

resource "google_container_cluster" "allowed2" {
  name               = "my-node-pool"
  location           = "asia-east1"
  initial_node_count = 1

  ip_allocation_policy {
  }

  enable_autopilot = true
}

Terraform

google_container_cluster

References

Use Workload Identity