This page shows you how to use the Shielded GKE Nodes feature. Shielded GKE Nodes provide strong, verifiable node identity and integrity to increase the security of Google Kubernetes Engine (GKE) nodes.
For GKE Autopilot clusters, the Shielded GKE Nodes feature is enabled by default and cannot be overridden. For GKE Standard clusters, the Shielded GKE Nodes feature is enabled by default but can be overridden.
About Shielded GKE Nodes
Shielded GKE Nodes are built on top of Compute Engine Shielded VMs. Without Shielded GKE Nodes an attacker can exploit a vulnerability in a Pod to exfiltrate bootstrap credentials and impersonate nodes in your cluster, giving the attackers access to cluster secrets. When Shielded GKE Nodes is enabled, the GKE control plane cryptographically verifies that:
- Every node in your cluster is a virtual machine running in Google's data center.
- Every node is part of the Managed Instance Group (MIG) provisioned for the cluster.
- The kubelet is being provisioned a certificate for the node on which it is running.
This limits the ability of an attacker to impersonate a node in your cluster even if they are able to exfiltrate bootstrap credentials of the node.
GKE cluster control plane nodes always use Shielded GKE Nodes, even if you disable the feature on your cluster. Enabling or disabling Shielded GKE Nodes only affects whether the worker nodes that run your workloads use the feature.
Pricing
There is no additional cost to run Shielded GKE Nodes. However, Shielded GKE Nodes generate about 0.5 KB more logs on startup than standard nodes. See the Cloud Logging pricing page for details.
Before you begin
Before you start, make sure you have performed the following tasks:
- Enable the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- If you want to use the Google Cloud CLI for this task,
install and then
initialize the
gcloud CLI. If you previously installed the gcloud CLI, get the latest
version by running
gcloud components update
.
Enabling Shielded GKE Nodes in a new cluster
You can create a new cluster with Shielded GKE Nodes enabled by using the gcloud CLI or the Google Cloud console.
gcloud
When creating a new cluster, specify the --enable-shielded-nodes
option:
gcloud container clusters create CLUSTER_NAME \
--enable-shielded-nodes
Console
Go to the Google Kubernetes Engine page in the Google Cloud console.
Click add_box Create.
From the navigation pane, under Cluster, click Security.
Select the Enable Shielded GKE Nodes checkbox.
Configure your cluster as desired.
Click Create.
See Creating a cluster for more details about creating clusters.
Enabling Shielded GKE Nodes in an existing cluster
You can enable Shielded GKE Nodes in an existing cluster by using the Google Cloud CLI or the Google Cloud console.
How GKE enables Shielded GKE Nodes
After you enable Shielded GKE Nodes, the worker nodes are recreated as Shielded VMs. The cluster nodes are recreated in a rolling fashion to minimize downtime.
After you enable Shielded GKE Nodes, GKE updates your cluster with the following steps:
- GKE immediately recreates the control plane, ignoring maintenance availability.
- GKE recreates the worker nodes as Shielded VMs, respecting maintenance availability. GKE uses surge upgrades to update each of the node pools. This depends on resource availability. Disabling node auto-upgrades doesn't prevent this change.
For details about this specific change, find the corresponding row in the manual changes that recreate the nodes using a node upgrade strategy and respecting maintenance policies table. To learn more about node updates, see Planning for node update disruptions.
Enable Shielded GKE Nodes
gcloud
When updating the cluster, specify the --enable-shielded-nodes
option:
gcloud container clusters update CLUSTER_NAME \
--enable-shielded-nodes
Console
Go to the Google Kubernetes Engine page in Google Cloud console.
Click the name of the cluster you want to modify.
Under Security, in the Shielded GKE Nodes field, click edit Edit Shielded GKE Nodes.
Select the Enable Shielded GKE Nodes checkbox.
Click Save Changes.
Verifying that Shielded GKE Nodes are enabled
You verify that your cluster is using Shielded GKE Nodes with the Google Cloud CLI or the Google Cloud console.
gcloud
Describe the cluster:
gcloud container clusters describe CLUSTER_NAME
If Shielded GKE Nodes are enabled, the output of the command will include these lines:
shieldedNodes:
enabled: true
Console
To verify that a cluster is using Shielded GKE Nodes:
Go to the Google Kubernetes Engine page in Google Cloud console.
Click the name of the cluster you want to inspect.
Under Security, in the Shielded GKE Nodes field, verify that Shielded GKE Nodes is Enabled.
You can also monitor the integrity of your nodes' underlying Shielded VMs. See Monitoring Integrity on Shielded VM Instances for the procedure.
Disabling Shielded GKE Nodes
You can disable Shielded GKE Nodes with the Google Cloud CLI or the Google Cloud console.
How GKE disables Shielded GKE Nodes
After you disable Shielded GKE Nodes, GKE updates your cluster with the following steps:
- GKE immediately recreates the control plane, ignoring maintenance availability.
- GKE recreates the worker nodes as unshielded VMs, respecting maintenance availability. GKE uses surge upgrades to update each of the node pools. This depends on resource availability. Disabling node auto-upgrades doesn't prevent this change.
For details about this specific change, find the corresponding row in the manual changes that recreate the nodes using a node upgrade strategy and respecting maintenance policies table. To learn more about node updates, see Planning for node update disruptions.
Disable Shielded GKE Nodes
gcloud
When updating the cluster, specify the --no-enable-shielded-nodes
option:
gcloud container clusters update CLUSTER_NAME \
--no-enable-shielded-nodes
Console
Go to the Google Kubernetes Engine page in Google Cloud console.
Click the name of the cluster you want to modify.
Under Security, in the Shielded GKE Nodes field, click edit Edit Shielded GKE Nodes.
Clear the Enable Shielded GKE Nodes checkbox.
Click Save Changes.
Node integrity
You can optionally configure node integrity checks on node pools to provide enhanced rootkit and bootkit protection for your nodes. Shielded GKE Nodes, Secure Boot, and Integrity Monitoring are independent features that can each be enabled or disabled individually.
Secure boot
Secure boot is a node pool setting that authenticates the boot components of your node VMs, like the kernel and the bootloader, during the boot process. Secure boot is disabled by default on node pools.
Before you enable secure boot in your node pools, consider the following:
- Enabling secure boot in Ubuntu nodes blocks unsigned third-party kernel modules from loading in those nodes.
- Enabling secure boot in Container-Optimized OS nodes has no effect on kernel module loading because Container-Optimized OS node images control the ability to load third-party kernel modules separately from secure boot.
To enable secure boot, use the Google Cloud CLI or the Google Cloud console.
gcloud
To enable secure boot when creating a cluster:
gcloud container clusters create CLUSTER_NAME \
--shielded-secure-boot
To enable secure boot when creating a node pool:
gcloud container node-pools create POOL_NAME \
--shielded-secure-boot
Secure boot is disabled by default. You can explicitly disable it when creating
a cluster or node pool with the --no-shielded-secure-boot
option.
Console
To enable secure boot when creating a node pool:
Go to the Google Kubernetes Engine page in Google Cloud console.
Click the name of the cluster you want to modify.
Click add_box Add Node Pool.
From the navigation menu, click Security.
Under Shielded options, select the Enable secure boot checkbox.
Click Create.
Integrity monitoring
Integrity monitoring is a node pool setting that's enabled by default on GKE. You can disable integrity monitoring with the Google Cloud CLI or Google Cloud console.
gcloud
To disable integrity monitoring for system components when creating a cluster:
gcloud container clusters create CLUSTER_NAME \
--no-shielded-integrity-monitoring
To disable integrity monitoring for system components when creating a node pool:
gcloud container node-pools create POOL_NAME \
--no-shielded-integrity-monitoring
Integrity monitoring is enabled by default. You can explicitly enable it when
creating a cluster or node pool with the --shielded-integrity-monitoring
option.
Console
To disable integrity monitoring when creating a node pool:
Go to the Google Kubernetes Engine page in Google Cloud console.
Click the name of the cluster you want to modify.
Click add_box Add Node Pool.
From the navigation pane, click Security.
Under Shielded options, clear the Enable integrity monitoring checkbox.