Identity & Security

Exploring container security: Bringing Shielded VMs to GKE with Shielded GKE Nodes

GCP Container security.png

Where workloads go, attackers follow. As more organizations adopt containers and deploy sensitive workloads with Kubernetes, there are new container-specific surface areas that need to be hardened. Today, we are announcing Shielded GKE Nodes in beta, which provides strong, verifiable node identity and integrity to increase the protection of your Google Kubernetes Engine (GKE) nodes. 

A compromised Kubernetes node gives malicious actors a wide range of opportunities for attack. For example, one potential attack on a Kubernetes node can give adversaries the opportunity to gain (persistent) access to valuable user code, compute and/or data. This isn’t just a theoretical risk—a security researcher exploited it last year. In this case, by exploiting how credentials are bootstrapped for a worker node, the researcher got full access to the cluster. 

Shielded GKE Nodes protects against a variety of attacks by hardening the underlying GKE node against rootkits and bootkits. More specifically, Shielded GKE Nodes provides:

  • Node OS provenance check: A cryptographically verifiable check to make sure the node OS is running on a virtual machine in a Google data center

  • Enhanced rootkit and bootkit protection: Protection against advanced rootkits and bootkits in the node by leveraging advanced platform security capabilities such as secure and measured boot, virtual trusted platform module (vTPM), UEFI firmware, and integrity monitoring

  • Standards-based security: Built on the Trusted Computing Group’s (TCG) Trusted Platform Module (TPM), Shielded GKE Nodes uses a standardized specification for trusted computing, such as verifying the boot integrity of the node and enhancing the node bootstrapping process

Shopify offers an ecommerce platform that allows merchants to process payments online, in person, or through social media apps, and is a strong proponent of Shielded GKE Nodes. With  50 GKE clusters in multiple regions running 10,000 Kubernetes services, Shielded GKE Nodes gives them extra security, with less overhead.

“Shopify's thousands of nodes must each run a proxy to prevent metadata servers from divulging kubelet bootstrap credentials, which are required for a node to join a cluster but shouldn't be needed after that. We're excited to migrate to Shielded GKE Nodes, which can only use those credentials in conjunction with a secure vTPM-based method to establish trust with the cluster,” said Shane Lawrence, Security Infrastructure Engineer at Shopify. “The change allows us to turn off the proxies to save resources, and limiting the capabilities of the bootstrap credentials eliminates an attack vector, so our platform is even more secure.”

Image and region availability

Shielded GKE Nodes is built on top of Google Compute Engine Shielded VM, which provides verifiable integrity and data exfiltration protection for virtual machines (VMs). Just like Shielded VM, GKE customers can use Shielded GKE Nodes at no extra charge. Shielded GKE Nodes is available in all regions, for both Ubuntu and Container Optimized OS (COS) node images running GKE v1.13.6 and later versions. 

Getting started

To use Shielded GKE Nodes, when creating the new cluster, specify the --enable-shielded-nodes flag:

  gcloud beta container clusters create [CLUSTER_NAME] --enable-shielded-nodes

To use Shielded GKE Nodes, you need a minimum cluster version of 1.13.6-gke.0, which can be specified via --cluster-version or --release-channel flags. Alternatively, you can specify --cluster-version=latest

To migrate an existing cluster, upgrade your cluster to at least the minimum version, and specify the --enable-shielded-nodes flag on a cluster update command:

  gcloud beta container clusters update [CLUSTER_NAME] --enable-shielded-nodes

For further details, see the [documentation].

GCP create k8 cluster.gif
GCP k8 cluster.gif

Start running Shielded GKE Nodes

If you run production applications, you want as much protection as possible. Shielded GKE Nodes provides you with the benefits of UEFI firmware, secure boot, and vTPM in a hardened Kubernetes environment. Improve your security posture— try Shielded GKE Nodes today.