Shielded Nodes Should Be Used For Kubernetes Cluster

More Info:

Ensure that shielded nodes are used in node pools

Risk Level

Medium

Address

Security, Reliability, Operational Excellence

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of using shielded nodes for a Kubernetes cluster on GCP using GCP CLI, you can follow the below steps:

First, you need to check if the Kubernetes cluster is using shielded nodes or not. To check this, run the following command:

gcloud container clusters describe [CLUSTER-NAME] --zone [ZONE] | grep -i shielded

If the output of the above command shows that shielded nodes are not enabled, then you can enable it by running the following command:

gcloud beta container clusters update [CLUSTER-NAME] --zone [ZONE] --update-shielded-nodes

If the output of the above command shows an error message saying that the beta component is not enabled, then you need to enable it by running the following command:

gcloud components install beta

Once the beta component is installed, you can run the previous command again to enable the shielded nodes.
After enabling the shielded nodes, you can verify it by running the first command again. The output should show that shielded nodes are enabled for the Kubernetes cluster.

By following the above steps, you can remediate the misconfiguration of not using shielded nodes for a Kubernetes cluster on GCP using GCP CLI.

Using Python

To remediate the misconfiguration of not using shielded nodes for a Kubernetes cluster in GCP using Python, follow these steps:

Install the Google Cloud SDK and Python client library using the following commands:

curl https://sdk.cloud.google.com | bash
exec -l $SHELL
gcloud init
pip install google-cloud

Create a new GCP project or select an existing project to work with.
Enable the necessary APIs for the project using the following command:

gcloud services enable container.googleapis.com

Authenticate the SDK using the following command:

gcloud auth login

Create a new Kubernetes cluster using the following command:

gcloud container clusters create [CLUSTER_NAME] --shielded-secure-boot --shielded-integrity-monitoring

Verify that the shielded nodes are enabled for the cluster using the following command:

gcloud container clusters describe [CLUSTER_NAME] --format='get(shieldedNodes.enabled)'

This command should return “True” indicating that the shielded nodes are enabled for the cluster.

If you have an existing cluster, you can update the cluster to enable shielded nodes using the following command:

gcloud container clusters update [CLUSTER_NAME] --shielded-secure-boot --shielded-integrity-monitoring

This command will update the existing cluster to enable shielded nodes.By following these steps, the misconfiguration of not using shielded nodes for a Kubernetes cluster in GCP can be remediated using Python.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Shielded Nodes Should Be Used For Kubernetes Cluster

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: