Skip to content

BoostSecurity

gcp-k8s-legacy-instance-metadata-on

gcp-k8s-legacy-instance-metadata-on¶

Ensure legacy Compute Engine instance metadata APIs are Disabled

Older versions of Kubernetes (before 1.12) exposed an insecure Instance Metadata API which is now deprecated and replaced by the new Workload Metadata Server.

Examples¶

Insecure Example

resource "google_container_cluster" "k8s-cluster" {
  name     = "my-gke"
  location = "us-central1"

  initial_node_count = 1

  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.subnet.name

  min_master_version = 1.11
  node_config {
      metadata {
          "disable-legacy-endpoints" = false
      }
  }
}

Secure Example

resource "google_container_cluster" "k8s-cluster" {
  name     = "my-gke"
  location = "us-central1"

  initial_node_count = 1

  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.subnet.name

  min_master_version = 1.12 # Specifying a minimum master version of 1.12 and above guarantees that legacy Instance Metadata API are disabled
  node_config {
      metadata {
          "disable-legacy-endpoints" = true # You can simply omit this value as long as the master is >= 1.12 as it defaults to false
      }
  }
}

More information¶