gcp-k8s-metadata-server-off¶
Ensure the GKE Metadata Server is Enabled
Workload Identity is the modern way to provision service account credentials into your Pods. It is highly recommended to enable it as it helps to rotate cryptographic keys automatically.
Examples¶
Insecure Example
resource "google_container_cluster" "k8s-cluster" {
name = "my-gke"
location = "us-central1"
initial_node_count = 1
network = google_compute_network.vpc.name
subnetwork = google_compute_subnetwork.subnet.name
# Missing declaration of workload_metadata_config
}
Secure Example
resource "google_container_cluster" "k8s-cluster" {
name = "my-gke"
location = "us-central1"
initial_node_count = 1
network = google_compute_network.vpc.name
subnetwork = google_compute_subnetwork.subnet.name
node_config {
workload_metadata_config {
node_metadata = "SECURE"
}
}
}