search

GoogleCloudPlatform / inspec-gke-cis-benchmark

GKE CIS 1.1.0 Benchmark InSpec Profile
Apache License 2.0
27 stars 22 forks source link

False positive on 5.4.2 Ensure the GKE Metadata Server is Enabled #25

Open dinvlad opened 3 years ago

dinvlad commented 3 years ago

Hi Team,

We're seeing false-positives reported for "5.4.2 Ensure the GKE Metadata Server is Enabled" control. More specifically, we have a project with one and only cluster, on which Workload Metadata is enabled. When I query this cluster using

gcloud beta container clusters describe <cluster> --region <region> --project <project> --format json \
  | jq '.nodePools[].config.workloadMetadataConfig'

it returns

{
  "mode": "GKE_METADATA",
  "nodeMetadata": "GKE_METADATA_SERVER"
}
{
  "mode": "GKE_METADATA",
  "nodeMetadata": "GKE_METADATA_SERVER"
}
{
  "mode": "GKE_METADATA",
  "nodeMetadata": "GKE_METADATA_SERVER"
}

for the 3 node pools that we have on it.

However, when running the latest Git version of GKE CIS for this project, it reports

Cluster <region>/<cluster>, Node Pool: batch config.workload_meta_config.mode is expected to be in "GCE_METADATA" and "GKE_METADATA"

for each of these pools.

Thanks

KonradSchieban commented 3 years ago

Thanks for raising @dinvlad ,I will review and take action shortly.

dinvlad commented 2 years ago

Any update on this one?