5.5.5 Ensure Shielded GKE Nodes are Enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Shielded GKE Nodes provides verifiable integrity via secure boot, virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring.

Rationale:

Shielded GKE nodes protects clusters against boot- or kernel-level malware or rootkits which persist beyond infected OS.

Shielded GKE nodes run firmware which is signed and verified using Google's Certificate Authority, ensuring that the nodes' firmware is unmodified and establishing the root of trust for Secure Boot. GKE node identity is strongly protected via virtual Trusted Platform Module (vTPM) and verified remotely by the master node before the node joins the cluster. Lastly, GKE node integrity (i.e., boot sequence and kernel) is measured and can be monitored and verified remotely.

Impact:

After Shielded GKE Nodes is enabled in a cluster, any nodes created in a Node pool without Shielded GKE Nodes enabled, or created outside of any Node pool, aren't able to join the cluster.

Shielded GKE Nodes can only be used with Container-Optimized OS (COS), COS with containerd, and Ubuntu node images.

Solution

Note: From version 1.18, clusters will have Shielded GKE nodes enabled by default.
Using Google Cloud Console:
To update an existing cluster to use Shielded GKE nodes:

Navigate to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.

Select the cluster which for which Shielded GKE Nodes is to be enabled.

With in the Details pane, under the Security heading, click on the pencil icon named Edit Shields GKE nodes.

Check the box named Enable Shield GKE nodes.

Click SAVE CHANGES.

Using Command Line:
To migrate an existing cluster, the flag --enable-shielded-nodes needs to be specified in the cluster update command:

gcloud container clusters update <cluster_name> --zone <cluster_zone> --enable-shielded-nodes

Default Value:

Clusters will have Shielded GKE nodes enabled by default, as of version v1.18

See Also

https://workbench.cisecurity.org/benchmarks/13178