Google Cloud Kubernetes Engine
  1. CNS Policies
  2. GCP Knowledge Base
  3. Google Cloud Kubernetes Engine

Secure Boot Disabled

Ensures that the Secure Boot feature is enabled for all node pools in your clusters.

Risk Level: High

Description

This plugin ensures that all the node pools in the Google Kubernetes Engine Clusters have the secure boot feature enabled. Secure boot is a setting for the node pools on GKE that helps in increasing the security of your clusters.

About the Service

Google Cloud Kubernetes Engine:

The Google Cloud Kubernetes Engine is a Kubernetes-based service that includes a control plane, nodes that house pods, and Google Cloud services. It aids in the modernization of your programs by offering a platform for deploying, managing, and scaling containerized applications. The Google Cloud Console or kubectl can be used to interact with this Google Cloud Kubernetes Engine. To know more, read here

Impact

If the secure boot feature is disabled, it makes your cluster node pools less secure and increases the risk of malware or rootkits attacks. To increase the integrity of your node pools, SentinelOne CNS strongly recommends enabling this feature.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
  4. Select the cluster you want to investigate from the list of clusters displayed and go to the NODES tab of the selected cluster.
  5. Under the Node pools section, select the node pool you want to verify from the list of node pools displayed in the table.
  6. In the Security section, check the configuration setting of Secure boot. If it is disabled then the SentinelOne strongly recommends you to enable it.
  7. Repeat steps 5 and 6 for all the node pools present in the selected cluster.
  8. Repeat steps 4 to 7 for all the clusters you want to investigate in the selected project.
  9. If you have multiple projects that you want to investigate, repeat steps 2-8 for each project in your GCP console.

Steps for Remediation

Determine whether or not you truly require the secure boot feature to be disabled for your node pool. If not, make the necessary changes to enable it.

NOTE: The secure boot feature for node pools cannot be changed once the node pool is made. Hence, to enable it, we must re-create the node pool.

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
  4. Select the cluster you want to reconfigure from the list of clusters displayed and go to the NODES tab of the selected cluster.  (In case you aren’t sure which node pool needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
  5. Under the Node pools section, select the node pool you want to verify from the list of node pools displayed in the table and note down all the configuration details.
  6. Go back to the configuration page of the selected cluster and click on the ADD NODE POOL button.
  7. Enter and configure the desired details according to the configuration settings of the node pool you are re-creating.
  8. In the Security tab, ensure that the Enable secure boot checkbox has been checked.
  9. Click CREATE to create the new node pool.
  10. You can now delete the original node pool to avoid unwanted expenses. Click on the node pool and select the DELETE button from the top navigation bar and press DELETE in the pop-up box to confirm the deletion.
  11. Repeat steps 5 to 10  for all the node pools that you want to reconfigure in the selected cluster.
  12. Repeat steps 4 to 11 for all the clusters you want to reconfigure in the selected project.
  13. If you have multiple projects, repeat steps 2 to 12 for each project in your GCP console.