Ensure that Secure Boot security feature is enabled for your GKE cluster nodes in order to protect them against malware and rootkits. Secure Boot helps ensure that the system runs only authentic software by verifying the digital signature of all boot components, and halting the boot process if the signature verification fails.
Secure Boot is disabled by default because of the third-party unsigned kernel modules that cannot be loaded when the feature is enabled. If you don't use third-party unsigned kernel modules, it is highly recommended to enable Secure Boot for all your GKE cluster nodes. Enabling this security feature helps you protect your GKE workloads from boot-level and kernel-level malware and rootkits.
To determine if your Google Kubernetes Engine (GKE) cluster nodes are protected with Secure Boot, perform the following actions:
Remediation / Resolution
To enable Secure Boot feature for your Google Kubernetes Engine (GKE) cluster nodes, you have to re-create the existing GKE cluster node pools with the appropriate security configuration by performing the following actions:Note: Secure Boot should not be used if you need third-party unsigned kernel modules for your GKE cluster nodes.
- Google Cloud Platform (GCP) Documentation
- Google Kubernetes Engine
- Hardening your cluster's security
- Using Shielded GKE Nodes
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Enable Secure Boot for GKE Cluster Nodes
Risk level: Medium