# GKE Metadata Enabled Check

### **Overview**

The **GCP\_GKE\_METADATA\_SERVER\_ENABLED** monitor verifies whether the Google Kubernetes Engine (GKE) Metadata Server is enabled for your workloads and node pools. Enabling the metadata server improves security by allowing workloads to securely obtain metadata without directly accessing the node’s metadata server.

### Passing Criteria

The monitor is considered **passing** when both of the following conditions are met:

#### 1. Workload Identity is Enabled

* The value of `entity.metaData.workloadIdentityConfig.workloadPool` must be defined (non-null and non-undefined).

#### 2. All Node Pools Have Metadata Server Enabled

* For every node pool in `entity.metaData.nodePools`, the value of `pool.config.workloadMetadataConfig.mode` must be either:
  * `GKE_METADATA_SERVER`, or
  * `GKE_METADATA`

#### **Summary**

* **Workload identity** is configured.
* **Every node pool** has `workloadMetadataConfig.mode` set to `GKE_METADATA_SERVER` or `GKE_METADATA`.
* If either condition is not met, `isMonitorPassing` will be **false**.

### **How to Remediate**

If the monitor fails, follow these steps:

#### **1. Enable Workload Identity**

1. Go to the **Google Cloud Console**.
2. Navigate to **Kubernetes Engine** → **Clusters**.
3. Select the target cluster.
4. Under **Security**, locate **Workload Identity**.
5. Enable it and specify the **workload pool** (for example, `<PROJECT_ID>.svc.id.goog`).
6. Save the configuration and redeploy the workloads if required.

**Reference:** [Workload Identity overview – Google Cloud](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)

#### **2. Enable Metadata Server for All Node Pools**

1. In the Google Cloud Console, go to **Kubernetes Engine** → **Clusters**.
2. Select the cluster and open the **Node pools** tab.
3. For each node pool:
   * Edit the node pool configuration.
   * Under **Metadata**, set **Workload metadata** to **GKE\_METADATA\_SERVER** (or **GKE\_METADATA** if applicable).
4. Save changes and allow the node pool to be updated.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sprinto.com/monitors/cloud-and-infrastructure-monitoring/gcp/gke-metadata-enabled-check.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.