Suggest enabling metadata-concealment by default #139
Labels
enhancement
New feature or request
Comments
|
We should expose this as a variable (with a |
|
We have exposed this (as |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Strongly suggest that the metadata-concealment proxy be enabled to protect cluster privilege escalation attacks (without this control in place, any pod has the ability to use the instance metadata API to obtain the kubelet's credentials which provides a path to gain access to all cluster secrets).
https://www.terraform.io/docs/providers/google/r/container_cluster.html#node_metadata
e.g.
See: https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#concealment https://www.4armed.com/blog/kubeletmein-kubelet-hacking-tool/ and https://www.qwiklabs.com/focuses/5158?parent=catalog for more background info on why this control is so important.
The text was updated successfully, but these errors were encountered: