gke/SEC/2023_001

Product: Google Kubernetes Engine
Rule class: SEC - Potential security issue

Description

Workload Identity allows a Kubernetes service account in your GKE cluster to act as an IAM service account. Pods that use the configured Kubernetes service account automatically authenticate as the IAM service account when accessing Google Cloud APIs. Using Workload Identity allows you to assign distinct, fine-grained identities and authorization for each application in your cluster, along with protecting the node’s metadata (GCE MD).

Without Workload Identity, node’s Service Account is used by the pods/containers that has access to subset of GCP APIs.

Remediation

Enable and configure Workload Identity on your Google Kubernetes Engine (GKE) clusters.

Further information

• Workload Identity
• Enabling Workload Identity
• Metadata concealment