Skip to main content

lacework-global-795

Enable Secure Boot for Shielded Google Kubernetes Engine (GKE) Nodes (Automated)

Description

Enable Secure Boot for Shielded GKE Nodes to verify the digital signature of node boot components.

Remediation

After provisioning a Node pool, it is not possible to enable Secure Boot.

You must create new Node pools within a cluster with Secure Boot enabled.

Using Google Cloud Console:

  1. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
  2. From the list of clusters, click the cluster requiring the update and click Add Node Pool.
  3. Select Secure boot under the Shielded options Heading.
  4. Click Save.

You must migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.

Using Command Line:

To create a Node pool within the cluster with Secure Boot enabled, run the following command:

gcloud container node-pools create <node_pool_name> --cluster <cluster_name> --zone <compute_zone> --shielded-secure-boot

You must migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.

References

https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes#secure_boot
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster

Last updated on