gcp-k8s-metadata-server-off

Ensure the GKE Metadata Server is Enabled

Workload Identity is the modern way to provision service account credentials into your Pods. It is highly recommended to enable it as it helps to rotate cryptographic keys automatically.

Examples

Insecure Example

resource "google_container_cluster" "k8s-cluster" {
  name     = "my-gke"
  location = "us-central1"

  initial_node_count = 1

  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.subnet.name

  # Missing declaration of workload_metadata_config
}

Secure Example

resource "google_container_cluster" "k8s-cluster" {
  name     = "my-gke"
  location = "us-central1"

  initial_node_count = 1

  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.subnet.name

  node_config {
      workload_metadata_config {
          node_metadata = "SECURE"
      }
  }
}

More information

• GCP Docs
• Terraform Docs