lacework-global-764
Disable legacy Compute Engine instance metadata APIs (Automated)
Description
Disable the legacy Google Compute Engine (GCE) instance metadata APIs for Google Kubernetes Engine (GKE) nodes. Under some circumstances, it may be appropriate to use these from within a pod to extract the node's credentials.
Remediation
You must disable the legacy GCE metadata endpoint upon the cluster or node-pool creation. For GKE versions 1.12 and newer, the legacy GCE metadata endpoint is default disabled.
Using Google Cloud Console:
To update an existing cluster, create a new Node pool with the legacy GCE metadata endpoint disabled:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Click the name of cluster to upgrade and click
Add Node Pool. - Navigate to the Metadata pane and set the GCE instance metadata to the key:value pair of
disable-legacy-endpoints: true. - Click
Save.
You must migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.
Using Command Line:
To update an existing cluster, create a new Node pool with the legacy GCE metadata endpoint disabled:
gcloud container node-pools create <pool_name> --metadata disable-legacy-endpoints=true --cluster <cluster_name> --zone <compute_zone>
You must migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.