gcp-k8s-legacy-instance-metadata-on¶
Ensure legacy Compute Engine instance metadata APIs are Disabled
Older versions of Kubernetes (before 1.12) exposed an insecure Instance Metadata API which is now deprecated and replaced by the new Workload Metadata Server.
Examples¶
Insecure Example
resource "google_container_cluster" "k8s-cluster" {
name = "my-gke"
location = "us-central1"
initial_node_count = 1
network = google_compute_network.vpc.name
subnetwork = google_compute_subnetwork.subnet.name
min_master_version = 1.11
node_config {
metadata {
"disable-legacy-endpoints" = false
}
}
}
Secure Example
resource "google_container_cluster" "k8s-cluster" {
name = "my-gke"
location = "us-central1"
initial_node_count = 1
network = google_compute_network.vpc.name
subnetwork = google_compute_subnetwork.subnet.name
min_master_version = 1.12 # Specifying a minimum master version of 1.12 and above guarantees that legacy Instance Metadata API are disabled
node_config {
metadata {
"disable-legacy-endpoints" = true # You can simply omit this value as long as the master is >= 1.12 as it defaults to false
}
}
}