GKE cluster does not have Workload Identity enabled







EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.




GKE Workload Identity allows users to securely assign permissions in Google Cloud to Kubernetes service accounts. More crucially, it ensures that Kubernetes pods cannot access GCP credentials on the underlying worker node.

Understanding Impact

Business Impact

GKE clusters that do not have workload identity enabled may allow attackers to use a single vulnerable application to compromise the full cluster, and access sensitive data stored in GCP.

Technical Impact

When Workload Identity is not enabled in a cluster, any pod can retrieve Google Cloud credentials of the underlying worker node. In particular, this makes SSRF vulnerabilities in web applications highly impactful and allows an unauthenticated attacker to potentially compromise a full cloud environment.

Workload identity is enabled by default on Autopilot clusters.

Identify affected resources

Use the following gcloud CLI command to identify GKE clusters that do not have workload identity enabled:

gcloud container clusters list --format='csv[no-heading](name,zone,workloadIdentityConfig.workloadPool)' | 
  awk -F',' '{ if ($3 == "") print $1 " (" $2 ")" }'

Remediate vulnerable resources

Enable Workload Identity on your GKE cluster, even if your pods do not need to access Google Cloud resources. Refer to the How to use Workload Identity guide for more detail.


Introduction to GKE Workload Identity

gcp documentation

Using Workload Identity

gcp documentation

KubeCon 2023 talk detailing how attackers can exploit GKE clusters without workload identity enabled


Did you find this article helpful?