TF 0331 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Node metadata value disables metadata concealment.
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| Service | gke |
| Provider | |
| Vulnerability Type | misconfiguration |
Description
The node_metadata attribute in the workload_metadata_config block is set insecurely, allowing Kubernetes pods to access sensitive VM metadata that should be concealed. This misconfiguration exposes metadata that could include credentials or internal configuration details.
Impact
If exploited, pods running in the cluster could access and potentially exfiltrate sensitive VM metadata, such as service account tokens or project information, leading to privilege escalation, data leakage, or compromise of other Google Cloud resources.
Resolution
Set node metadata to SECURE or GKE_METADATA_SERVER