This page shows you how to use the Shielded GKE Nodes feature. Shielded GKE Nodes provide strong, verifiable node identity and integrity to increase the security of GKE nodes.
About Shielded GKE Nodes
Shielded GKE Nodes are built on top of Compute Engine Shielded VMs. Without Shielded GKE Nodes an attacker can exploit a vulnerability in a Pod to exfiltrate bootstrap credentials and impersonate nodes in your cluster, giving the attackers access to cluster secrets. When Shielded GKE Nodes is enabled, the GKE control plane cryptographically verifies that:
- Every node in your cluster is a virtual machine running in Google's data center.
- Every node is part of the managed instance group provisioned for the cluster.
- The kubelet is being provisioned a certificate for the node on which it is running.
This limits the ability of an attacker to impersonate a node in your cluster even if they are able to exfiltrate bootstrap credentials of the node.
You can optionally configure node integrity checks on node pools to provide enhanced rootkit and bootkit protection for your nodes. These node pool settings are independent from Shielded GKE Nodes and will work even if Shielded GKE Nodes is disabled on the cluster.
For more information, see the Shielded VM documentation.
There is no additional cost to run Shielded GKE Nodes. However, Shielded GKE Nodes generate about 0.5 KB more logs on startup than standard nodes. See the Cloud Logging pricing page for details.
Availability
- Shielded GKE Nodes are available in GKE 1.13.6-gke.0 and higher.
- Shielded GKE Nodes are available in all zones and regions.
- Shielded GKE Nodes can be used with Container-Optimized OS (COS), COS with containerd, and Ubuntu node images.
- Shielded GKE Nodes can be used with GPUs.
Before you begin
Before you start, make sure you have performed the following tasks:
- Ensure that you have enabled the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- Ensure that you have installed the Cloud SDK.
Set up default gcloud settings using one of the following methods:
- Using
gcloud init, if you want to be walked through setting defaults. - Using
gcloud config, to individually set your project ID, zone, and region.
Using gcloud init
If you receive the error One of [--zone, --region] must be supplied: Please specify
location, complete this section.
-
Run
gcloud initand follow the directions:gcloud init
If you are using SSH on a remote server, use the
--console-onlyflag to prevent the command from launching a browser:gcloud init --console-only
-
Follow the instructions to authorize
gcloudto use your Google Cloud account. - Create a new configuration or select an existing one.
- Choose a Google Cloud project.
- Choose a default Compute Engine zone.
Using gcloud config
- Set your default project ID:
gcloud config set project PROJECT_ID
- If you are working with zonal clusters, set your default compute zone:
gcloud config set compute/zone COMPUTE_ZONE
- If you are working with regional clusters, set your default compute region:
gcloud config set compute/region COMPUTE_REGION
- Update
gcloudto the latest version:gcloud components update
Enabling Shielded GKE Nodes in a new cluster
You can create a new cluster with Shielded GKE Nodes enabled by using
gcloud tool or Google Cloud Console.
gcloud
When creating a new cluster, specify the --enable-shielded-nodes option:
gcloud container clusters create cluster-name --enable-shielded-nodes
Console
Visit the Google Kubernetes Engine menu in Cloud Console.
Click add_box Create.
From the navigation pane, under Cluster, click Security.
Select the Enable Shielded GKE Nodes checkbox.
Configure your cluster as desired.
Click Create.
See Creating a cluster for more details about creating clusters.
Enabling Shielded GKE Nodes in an existing cluster
You can enable Shielded GKE Nodes in an existing cluster by using the
gcloud command-line tool or Google Cloud Console.
After you enable Shielded GKE Nodes, the control plane and nodes are recreated as Shielded VMs. The control plane is unavailable while it is being recreated. The cluster nodes are recreated in a rolling fashion to minimize downtime.
gcloud
When updating the cluster, specify the --enable-shielded-nodes option:
gcloud container clusters update cluster-name --enable-shielded-nodes
console
Visit the Google Kubernetes Engine menu in Cloud Console.
Click the cluster's Edit button, which looks like a pencil.
In the Shielded GKE Nodes drop-down list, select Enabled.
Verifying that Shielded GKE Nodes are enabled
You verify that your cluster is using Shielded GKE Nodes with the gcloud command-line tool
or Google Cloud Console.
gcloud
Describe the cluster:
gcloud container clusters describe cluster-name
If Shielded GKE Nodes are enabled, the output of the command will include these lines:
shieldedNodes:
enabled: true
Console
- Navigate to the cluster details tab by clicking the cluster's name in the list of your clusters in your project.
- In the details list, verify that Shielded GKE Nodes is enabled.
You can also monitor the integrity of your nodes' underlying Shielded VMs. See Monitoring Integrity on Shielded VM Instances for the procedure.
Disabling Shielded GKE Nodes
You can disable Shielded GKE Nodes with the gcloud command-line tool or Google Cloud Console.
gcloud
When updating the cluster, specify the --no-enable-shielded-nodes option:
gcloud container clusters update cluster-name --no-enable-shielded-nodes
Console
Visit the Google Kubernetes Engine menu in Cloud Console.
Click the cluster's Edit button, which looks like a pencil.
In the Shielded GKE Nodes drop-down list, select Disabled.
After you disable Shielded GKE Nodes, the control plane and nodes are recreated as ordinary, unshielded VMs. The control plane is unavailable while it is being recreated. The cluster nodes are recreated in a rolling fashion to minimize downtime.
Node integrity
Secure Boot and Integrity Monitoring are node pool settings that can be used alongside Shielded GKE Nodes. Shielded GKE Nodes, Secure Boot, and Integrity Monitoring are independent features that can each be enabled or disabled individually.
Secure boot
Secure boot is a node pool setting that's disabled by default on GKE because third-party unsigned kernel modules cannot be loaded when secure boot is enabled.
If you don't use third-party unsigned kernel modules, you can enable secure boot
with the gcloud command-line tool or Google Cloud Console.
gcloud
To enable secure boot when creating a cluster:
gcloud container cluster create cluster-name --shielded-secure-boot
To enable secure boot when creating a node pool:
gcloud container node-pool create pool-name --shielded-secure-boot
Secure boot is disabled by default. You can explicitly disable it when creating
a cluster or node pool with the --no-shielded-secure-boot option.
Console
To enable secure boot when creating a node pool:
- Navigate to the cluster details page.
- At the top of the page, click Add Node Pool.
- In the Shielded options section, select the Secure boot checkbox.
Integrity monitoring
Integrity monitoring
is a node pool setting that's enabled by default on GKE. You
can disable integrity monitoring with the gcloud command-line tool or Google Cloud Console.
gcloud
To disable integrity monitoring for system components when creating a cluster:
gcloud container cluster create cluster-name --no-shielded-integrity-monitoring
To disable integrity monitoring for system components when creating a node pool:
gcloud container node-pool create pool-name --no-shielded-integrity-monitoring
Integrity monitoring is enabled by default. You can explicitly enable it when
creating a cluster or node pool with the --shielded-integrity-monitoring
option.
Console
To disable integrity monitoring when creating a node pool:
- Navigate to the cluster details page.
- At the top of the page, click Add Node Pool.
- In the Shielded options section, clear the Integrity monitoring checkbox.