Shielded GKE Nodes provides verifiable integrity via secure boot, virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring. Rationale: Shielded GKE nodes protects clusters against boot- or kernel-level malware or rootkits which persist beyond infected OS. Shielded GKE nodes run firmware which is signed and verified using Google's Certificate Authority, ensuring that the nodes' firmware is unmodified and establishing the root of trust for Secure Boot. GKE node identity is strongly protected via virtual Trusted Platform Module (vTPM) and verified remotely by the master node before the node joins the cluster. Lastly, GKE node integrity (i.e., boot sequence and kernel) is measured and can be monitored and verified remotely.
Solution
Using Google Cloud Console To update an existing cluster to use Shielded GKE nodes: Navigate to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list Select the cluster which you wish to enable Shielded GKE Nodes and Click EDIT Locate the 'Shielded GKE Nodes' drop-down menu and select 'Enabled' Click SAVE. Using Command Line To migrate an existing cluster, you will need to specify the --enable-shielded-nodes flag on a cluster update command: gcloud beta container clusters update $CLUSTER_NAME \ --zone $CLUSTER_ZONE \ --enable-shielded-nodes Impact: After you enable Shielded GKE Nodes in a cluster, any nodes created in a Node pool without Shielded GKE Nodes enabled, or created outside of any Node pool, aren't able to join the cluster. Shielded GKE Nodes can only be used with Container-Optimized OS (COS), COS with containerd, and Ubuntu node images. Default Value: Currently, Shielded GKE Nodes are not enabled by default. If Shielded GKE Nodes are enabled, Integrity Monitoring (through Stackdriver) is enabled by default and Secure Boot is disabled by default.