5.5.7 - Ensure Secure Boot for Shielded GKE Nodes is Enabled (Automated)

Views:

Profile applicability: Level 2

Enable Secure Boot for Shielded GKE Nodes to verify the digital signature of node boot components.

An attacker may seek to alter boot components to persist malware or root kits during system initialisation. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails.

Note

By default, Secure Boot is disabled in GKE clusters. By default, Secure Boot is disabled when Shielded GKE Nodes is enabled.

Impact

Secure Boot will not permit the use of third-party unsigned kernel modules.

Audit

Using Google Cloud Console:

Go to Kubernetes Engine website.
From the list of clusters, click on the name of the cluster under test.
Open the Details pane for each Node pool within the cluster, and ensure that Secure boot is set to Enabled under the Security heading.

Using Command Line:

To check if Secure Boot is enabled for the Node pools in the cluster, run the following command for each Node pool:

gcloud container node-pools describe <node_pool_name> --cluster 
<cluster_name> --zone <compute_zone> --format json | jq 
.config.shieldedInstanceConfig

This will return the value below, if Secure Boot is enabled:

{ 
    "enableSecureBoot": true 
}

Remediation

Once a Node pool is provisioned, it cannot be updated to enable Secure Boot. New Node pools must be created within the cluster with Secure Boot enabled.

Using Google Cloud Console:

Go to Kubernetes Engine website.
From the list of clusters, click on the cluster requiring the update and click ADD NODE POOL.
Ensure that the Secure boot checkbox is checked under the Shielded options Heading.
Click SAVE.

Workloads will need to be migrated from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.

Using Command Line:

To create a Node pool within the cluster with Secure Boot enabled, run the following command:

gcloud container node-pools create <node_pool_name> --cluster <cluster_name> 
--zone <compute_zone> --shielded-secure-boot

Workloads will need to be migrated from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.