lacework-global-793

Enable the Google Kubernetes Engine (GKE) Metadata Server (Automated)

Running the GKE Metadata Server prevents workloads from accessing sensitive instance metadata and facilitates Workload Identity.

The GKE Metadata Server requires enablement of Workload Identity on a cluster.

Modify the cluster to enable Workload Identity and enable the GKE Metadata Server.

Using Google Cloud Console:

Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
From the list of clusters, select the cluster with Workload Identity disabled.
Under the DETAILS pane, navigate down to the Security subsection.
Click the pencil icon named Edit Workload Identity, click Enable Workload Identity in the pop-up window, and select a workload pool from the drop-down box. By default, it is the namespace of the Cloud project containing the cluster, for example: <project_id>.svc.id.goog.
Click Save Changes and wait for the cluster to update.
Once the cluster has updated, select each Node pool within the cluster Details page.
For each Node pool, select Edit within the Node pool details page.
Within the Edit node pool pane, select the Enable GKE Metadata Server checkbox.
Click Save.

Using Command Line:

gcloud container clusters update <cluster_name> --identity-namespace=<project_id>.svc.id.goog

Note that this does not affect existing Node pools. New Node pools default to --workload-metadata-from-node=GKE_METADATA_SERVER.

To modify an existing Node pool to enable GKE Metadata Server:

gcloud container node-pools update <node_pool_name> --cluster=<cluster_name> --workload-metadata-from-node=GKE_METADATA_SERVER

Workloads may need modification in order for them to use Workload Identity as described within: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity.