Using Shielded GKE Nodes

This page shows you how to use Shielded GKE Nodes. Shielded GKE Nodes provide strong, verifiable node identity and integrity to increase the security of GKE nodes.

Overview

Shielded GKE Nodes are built on top of Compute Engine Shielded VMs. Shielded GKE Nodes provide the following:

Node OS provenance check
A cryptographically verifiable check to make sure the node OS is running on a virtual machine in a Google data center.
Enhanced rootkit and bootkit protection

Shielded GKE Nodes protects against rootkits and bootkits gaining persistence in the node, using:

  • secure and measured boot
  • virtual trusted platform module (vTPM)
  • UEFI firmware
  • integrity monitoring

See the Shielded VM documentation for more details.

Shielded GKE Nodes can be used with GPUs.

There is no additional cost to run Shielded GKE Nodes. However, Shielded GKE Nodes generate about 0.5 KB more logs on startup than standard nodes. See the Stackdriver Logging pricing page for details.

Availability

  • Shielded GKE Nodes are available in GKE 1.13.6-gke.0 and higher.
  • Shielded GKE Nodes are available in all zones and regions.
  • Shielded GKE Nodes can be used with Container-Optimized OS (COS), COS with containerd, and Ubuntu node images.

Before you begin

To prepare for this task, perform the following steps:

  • Ensure that you have enabled the Google Kubernetes Engine API.
    • Enable Google Kubernetes Engine API
  • Ensure that you have installed the Cloud SDK.
  • Set your default project ID: 
    gcloud config set project [PROJECT_ID]
  • If you are working with zonal clusters, set your default compute zone: 
    gcloud config set compute/zone [COMPUTE_ZONE]
  • If you are working with regional clusters, set your default compute region: 
    gcloud config set compute/region [COMPUTE_REGION]
  • Update gcloud to the latest version: 
    gcloud components update

Enabling Shielded GKE Nodes in a new cluster

You can use either the gcloud command-line tool or the Google Cloud Platform Console to create a new cluster with Shielded GKE Nodes.

gcloud

When creating a new cluster, specify the --enable-shielded-nodes option:

gcloud beta container clusters create [CLUSTER_NAME] --enable-shielded-nodes

Console

  1. Navigate to the Create cluster page.
  2. Expand the "Availability, networking, security, and additional features" section.
  3. In the security section (pictured below), select the "Enable Shielded GKE Nodes" checkbox.

Screenshot of the create cluster interface

See the creating a cluster documentation for more details about creating clusters.

Enabling Shielded GKE Nodes in an existing cluster

You can use either the gcloud command-line tool or the Google Cloud Platform Console to enable Shielded GKE Nodes in an existing cluster.

After you enable Shielded GKE Nodes, the control plane and nodes are recreated as Shielded VMs. The control plane is unavailable while it is being recreated. The cluster nodes are recreated in a rolling fashion to minimize downtime.

gcloud

When updating the cluster, specify the --enable-shielded-nodes option:

gcloud beta container clusters update [CLUSTER_NAME] --enable-shielded-nodes

console

  1. Navigate to the edit clusters page.
  2. Select Enabled in the Shielded GKE Nodes menu.

Screenshot of the edit cluster interface

Optional configurations

Secure Boot

Secure Boot is disabled by default on GKE because third-party unsigned kernel modules cannot be loaded when Secure Boot is enabled.

If you don't use third-party unsigned kernel modules, you can enable Secure Boot with gcloud command-line tool or Google Cloud Platform Console:

gcloud

To enable Secure Boot when creating a cluster:

gcloud beta container cluster create [CLUSTER_NAME] --shielded-secure-boot

To enable Secure Boot when creating a node pool:

gcloud beta container node-pool create [POOL_NAME] --shielded-secure-boot

Secure Boot is disabled by default. You can explicitly disable it when creating a cluster or node pool with the --no-shielded-secure-boot option.

Console

To enable secure boot when creating a node pool:

  1. Navigate to the cluster details page.
  2. At the top of the page, click Add Node Pool.
  3. In the Shielded options section, under the Security heading, select the Secure boot checkbox (pictured below).

Screenshot of the add Node Pool interface

System integrity monitoring

Integrity Monitoring is enabled by default on GKE. You can disable integrity monitoring with gcloud command-line tool or Google Cloud Platform Console:

gcloud

To disable integrity monitoring for system components when creating a cluster:

gcloud beta container cluster create [CLUSTER_NAME] --no-shielded-integrity-monitoring

To disable integrity monitoring for system components when creating a node pool:

gcloud beta container node-pool create [POOL_NAME] --no-shielded-integrity-monitoring

Integrity monitoring is enabled by default. You can explicitly enable it when creating a cluster or node pool with the --shielded-integrity-monitoring option.

Console

To disable integrity monitoring when creating a node pool:

  1. Navigate to the cluster details page.
  2. At the top of the page, click Add Node Pool.
  3. In the Shielded options section, under the Security heading, clear the Integrity monitoring checkbox (pictured below).

Screenshot of the add Node Pool interface

Verifying that Shielded GKE Nodes are enabled

You can use either the gcloud command-line tool or the Google Cloud Platform Console to verify that your cluster is using Shielded GKE Nodes.

gcloud

Describe the cluster:

gcloud beta container clusters describe [CLUSTER_NAME]

If Shielded GKE Nodes are enabled, the output of the command will include these lines:

shieldedNodes:
enabled: true

console

  1. Navigate to the cluster details tab by clicking the cluster's name in the list of your clusters in your project.
  2. In the details list, verify that Shielded GKE Nodes is enabled.

Screenshot of the cluster details list

You can also monitor the integrity of your nodes' underlying Shielded VMs. See Monitoring Integrity on Shielded VM Instances for the procedure.

Disabling Shielded GKE Nodes

You can disable Shielded GKE Nodes with gcloud command-line tool or Google Cloud Platform Console.

gcloud

When updating the cluster, specify the --no-enable-shielded-nodes option:

gcloud beta container clusters update [CLUSTER_NAME] --no-enable-shielded-nodes

console

  1. Navigate to the edit clusters page.
  2. Select Disabled in the Shielded GKE Nodes menu.

Screenshot of the edit cluster interface

After you disable Shielded GKE Nodes, the control plane and nodes are recreated as ordinary, unshielded VMs. The control plane is unavailable while it is being recreated. The cluster nodes are recreated in a rolling fashion to minimize downtime.

What's next

Var denne side nyttig? Giv os en anmeldelse af den:

Send feedback om...

Denne side
Feedback om de tilhørende oplysninger
Kubernetes Engine Documentation
Feedback om produktet