GKE Metadata Enabled Check

Overview

The GCP_GKE_METADATA_SERVER_ENABLED monitor verifies whether the Google Kubernetes Engine (GKE) Metadata Server is enabled for your workloads and node pools. Enabling the metadata server improves security by allowing workloads to securely obtain metadata without directly accessing the node’s metadata server.

Passing Criteria

The monitor is considered passing when both of the following conditions are met:

1. Workload Identity is Enabled

• The value of entity.metaData.workloadIdentityConfig.workloadPool must be defined (non-null and non-undefined).

2. All Node Pools Have Metadata Server Enabled

• For every node pool in entity.metaData.nodePools, the value of pool.config.workloadMetadataConfig.mode must be either:

  • GKE_METADATA_SERVER, or

  • GKE_METADATA

Summary

• Workload identity is configured.

• Every node pool has workloadMetadataConfig.mode set to GKE_METADATA_SERVER or GKE_METADATA.

• If either condition is not met, isMonitorPassing will be false.

How to Remediate

If the monitor fails, follow these steps:

1. Enable Workload Identity

1. Go to the Google Cloud Console.

2. Navigate to Kubernetes Engine → Clusters.

3. Select the target cluster.

4. Under Security, locate Workload Identity.

5. Enable it and specify the workload pool (for example, <PROJECT_ID>.svc.id.goog).

6. Save the configuration and redeploy the workloads if required.

Reference: Workload Identity overview – Google Cloud

2. Enable Metadata Server for All Node Pools

1. In the Google Cloud Console, go to Kubernetes Engine → Clusters.

2. Select the cluster and open the Node pools tab.

3. For each node pool:

   • Edit the node pool configuration.

   • Under Metadata, set Workload metadata to GKE_METADATA_SERVER (or GKE_METADATA if applicable).

4. Save changes and allow the node pool to be updated.