GCP GKE Legacy Metadata Endpoint Enabled (CKV_GCP_67)

High Risk Infrastructure Security

gcpgkekubernetesmetadata-endpointssrfcredential-exposureworkload-identityterraformcheckovckv-gcp-67

What it is

A critical security vulnerability where Google Kubernetes Engine (GKE) nodes are configured with the legacy metadata endpoint enabled without proper access controls. This exposes sensitive instance metadata including service account credentials, node information, and potentially cluster secrets to any process running in pods. The legacy endpoint lacks authentication and authorization controls, allowing SSRF attacks and credential theft from compromised or malicious pods.

Language:

# VULNERABLE: GKE cluster with legacy metadata endpoint (CKV_GCP_67 violation)
resource "google_container_cluster" "production_cluster" {
  name               = "production-gke-cluster"
  location           = "us-central1"
  initial_node_count = 1
  
  # Remove default node pool
  remove_default_node_pool = true
  
  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.subnet.name
  
  # MISSING: workload_identity_config for secure pod authentication
  
  master_auth {
    client_certificate_config {
      issue_client_certificate = false
    }
  }
}

resource "google_container_node_pool" "production_nodes" {
  name       = "production-node-pool"
  cluster    = google_container_cluster.production_cluster.name
  location   = google_container_cluster.production_cluster.location
  node_count = 3
  
  node_config {
    machine_type = "e2-medium"
    disk_size_gb = 100
    disk_type    = "pd-standard"
    
    # SECURITY ISSUE: Legacy metadata endpoint enabled by default
    # No disable-legacy-endpoints metadata setting
    # No workload_metadata_config configured
    
    service_account = google_service_account.gke_nodes.email
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
    
    tags = ["gke-node", "production"]
  }
}

# SECURE: GKE cluster with metadata endpoint protection (CKV_GCP_67 compliant)
resource "google_container_cluster" "production_cluster" {
  name               = "production-gke-cluster"
  location           = "us-central1"
  initial_node_count = 1
  
  remove_default_node_pool = true
  
  network    = google_compute_network.vpc.name
  subnetwork = google_compute_subnetwork.subnet.name
  
  master_auth {
    client_certificate_config {
      issue_client_certificate = false
    }
  }
}

resource "google_container_node_pool" "production_nodes" {
  name       = "production-node-pool"
  cluster    = google_container_cluster.production_cluster.name
  location   = google_container_cluster.production_cluster.location
  node_count = 3
  
  node_config {
    machine_type = "e2-medium"
    disk_size_gb = 100
    disk_type    = "pd-standard"
    
    # SECURE: Disable legacy metadata endpoint
    metadata = {
      disable-legacy-endpoints = "true"
    }
    
    # SECURE: Enable authenticated metadata access
    workload_metadata_config {
      mode = "GKE_METADATA"
    }
    
    service_account = google_service_account.gke_nodes.email
    oauth_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
    ]
    
    tags = ["gke-node", "production"]
  }
}

💡 Why This Fix Works

The vulnerable example shows a GKE cluster with the legacy metadata endpoint enabled, violating CKV_GCP_67 and exposing sensitive metadata. The secure implementation disables the legacy endpoint, enables Workload Identity, and implements comprehensive security hardening.

Why it happens

GKE node pools are created using default settings that enable the legacy metadata endpoint for backward compatibility. This commonly occurs when developers are unaware of the security implications of the legacy endpoint or when using older GKE cluster configurations. The legacy endpoint provides unauthenticated access to sensitive metadata.

Root causes

Default GKE Node Configuration

Missing Workload Identity Migration

Organizations continue using the legacy metadata endpoint instead of migrating to Workload Identity for pod authentication. This often happens when teams are unaware of Workload Identity benefits or when application code hasn't been updated to use the newer, more secure authentication mechanism.

Inadequate Metadata Security Configuration

Infrastructure as Code templates define GKE node pools without properly configuring metadata security settings. This includes not setting disable-legacy-endpoints metadata or not configuring workload_metadata_config with appropriate security settings to restrict metadata access.

Fixes

Disable Legacy Metadata Endpoint

Configure GKE nodes to disable the legacy metadata endpoint by setting node_config.metadata["disable-legacy-endpoints"] = "true" in Terraform or enabling workload_metadata_config with GKE_METADATA mode. This forces pods to use the authenticated metadata service and prevents unauthenticated access to sensitive information.

Implement Workload Identity

Migrate to Workload Identity for secure pod authentication instead of relying on node service accounts. Configure workload_identity_config on the cluster and use Kubernetes Service Accounts bound to Google Service Accounts. This provides fine-grained access control and eliminates the need for pods to access node credentials.

Establish GKE Security Best Practices

Create organizational standards for GKE security including mandatory metadata endpoint protection, Workload Identity usage, and regular security scanning. Use GCP Config Validator or similar tools to enforce these standards across all GKE clusters and node pools.

Detect This Vulnerability in Your Code

Sourcery automatically identifies gcp gke legacy metadata endpoint enabled (ckv_gcp_67) and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities