# GKE Metadata Enabled Check ### **Overview** The **GCP\_GKE\_METADATA\_SERVER\_ENABLED** monitor verifies whether the Google Kubernetes Engine (GKE) Metadata Server is enabled for your workloads and node pools. Enabling the metadata server improves security by allowing workloads to securely obtain metadata without directly accessing the node’s metadata server. ### Passing Criteria The monitor is considered **passing** when both of the following conditions are met: #### 1. Workload Identity is Enabled * The value of `entity.metaData.workloadIdentityConfig.workloadPool` must be defined (non-null and non-undefined). #### 2. All Node Pools Have Metadata Server Enabled * For every node pool in `entity.metaData.nodePools`, the value of `pool.config.workloadMetadataConfig.mode` must be either: * `GKE_METADATA_SERVER`, or * `GKE_METADATA` #### **Summary** * **Workload identity** is configured. * **Every node pool** has `workloadMetadataConfig.mode` set to `GKE_METADATA_SERVER` or `GKE_METADATA`. * If either condition is not met, `isMonitorPassing` will be **false**. ### **How to Remediate** If the monitor fails, follow these steps: #### **1. Enable Workload Identity** 1. Go to the **Google Cloud Console**. 2. Navigate to **Kubernetes Engine** → **Clusters**. 3. Select the target cluster. 4. Under **Security**, locate **Workload Identity**. 5. Enable it and specify the **workload pool** (for example, `.svc.id.goog`). 6. Save the configuration and redeploy the workloads if required. **Reference:** [Workload Identity overview – Google Cloud](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) #### **2. Enable Metadata Server for All Node Pools** 1. In the Google Cloud Console, go to **Kubernetes Engine** → **Clusters**. 2. Select the cluster and open the **Node pools** tab. 3. For each node pool: * Edit the node pool configuration. * Under **Metadata**, set **Workload metadata** to **GKE\_METADATA\_SERVER** (or **GKE\_METADATA** if applicable). 4. Save changes and allow the node pool to be updated.