GKE metadata is not concealed

Severity	Exploitability	Providers	Categories
HIGH	LOW	Google Cloud Provider	SECRET

Description

GKE instance metadata may contain secrets information. Those should be protected and isolated from the workloads running on the cluster.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	False	False

Secret metadata information may leak.

Remediation guidelines

Either:

• Set metadata to SECURE
• Set metadata to GKE_METADATA_SERVER, if workload identity is enabled.

References

• About the metadata server
• GCP protecting cluster metadata

Was this page helpful?