False positive on 5.4.2 Ensure the GKE Metadata Server is Enabled

[dinvlad]

Hi Team,

We're seeing false-positives reported for "5.4.2 Ensure the GKE Metadata Server is Enabled" control. More specifically, we have a project with one and only cluster, on which Workload Metadata is enabled. When I query this cluster using

gcloud beta container clusters describe <cluster> --region <region> --project <project> --format json \
  | jq '.nodePools[].config.workloadMetadataConfig'

it returns

{
  "mode": "GKE_METADATA",
  "nodeMetadata": "GKE_METADATA_SERVER"
}
{
  "mode": "GKE_METADATA",
  "nodeMetadata": "GKE_METADATA_SERVER"
}
{
  "mode": "GKE_METADATA",
  "nodeMetadata": "GKE_METADATA_SERVER"
}

for the 3 node pools that we have on it.

However, when running the latest Git version of GKE CIS for this project, it reports

Cluster <region>/<cluster>, Node Pool: batch config.workload_meta_config.mode is expected to be in "GCE_METADATA" and "GKE_METADATA"

for each of these pools.

Thanks

[KonradSchieban]

Thanks for raising @dinvlad ,I will review and take action shortly.

[dinvlad]

Any update on this one?