Views:
Profile applicability: Level 1
Shielded GKE Nodes provides verifiable integrity via secure boot, virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring.
Shielded GKE nodes protects clusters against boot- or kernel-level malware or rootkits which persist beyond infected OS. Shielded GKE nodes run firmware which is signed and verified using Google's Certificate Authority, ensuring that the nodes' firmware is unmodified and establishing the root of trust for Secure Boot.
GKE node identity is strongly protected via virtual Trusted Platform Module (vTPM) and verified remotely by the master node before the node joins the cluster. Lastly, GKE node integrity (i.e., boot sequence and kernel) is measured and can be monitored and verified remotely.
Note
Note
Clusters will have Shielded GKE nodes enabled by default, as of version v1.18

Impact

After Shielded GKE Nodes is enabled in a cluster, any nodes created in a Node pool without Shielded GKE Nodes enabled, or created outside of any Node pool, aren't able to join the cluster. Shielded GKE Nodes can only be used with Container-Optimized OS (COS), COS with containerd, and Ubuntu node images.

Audit

Using Google Cloud Console:
  1. Go to Kubernetes Engine by visiting: Google Cloud Console Kubernetes Engine page.
  2. Select the cluster under test from the list of clusters, and ensure that Shielded GKE Nodes are 'Enabled' under the Details pane.
Using Command Line:
To check for Shielded GKE Nodes within a cluster, first define 3 variables for Cluster Name, Location and Project and then run the following command:
gcloud container clusters describe $CLUSTER_NAME --location $LOCATION --project $PROJECT_ID --format json | jq '.shieldedNodes'
This will return the following if Shielded GKE Nodes are enabled:
{ "enabled": true }

Remediation

Note
Note
From version 1.18, clusters will have Shielded GKE nodes enabled by default.
Using Google Cloud Console:
To update an existing cluster to use Shielded GKE nodes:
  1. Navigate to Kubernetes Engine by visiting: Google Cloud Console Kubernetes Engine page.
  2. Select the cluster for which Shielded GKE Nodes is to be enabled.
  3. Within the Details pane, under the Security heading, click on the pencil icon named Edit Shielded GKE nodes.
  4. Check the box named Enable Shielded GKE nodes.
  5. Click SAVE CHANGES.
Using Command Line:
To migrate an existing cluster, the flag --enable-shielded-nodes needs to be specified in the cluster update command:
gcloud container clusters update <cluster_name> --location <location> --enable-shielded-nodes