If you’re not using GKE Shielded Nodes, feel free to skip this section and jump straight to the Shutdown Hours lab. Skip ahead
What are GKE Shielded Nodes? Security remains a consistent priority for cloud providers to ensure that customers are always protected, data is secure and applications are safe. Users of Google Kubernetes Engine (GKE) are provided with ways to maintain the integrity of the compute instances that applications are running on top of. One functionality that is now enabled by default for GKE users is Shielded GKE Nodes, which prevents exploitation of any vulnerabilities within your Kubernetes pods and keeps attackers from being able to impersonate nodes in your cluster.
For our Ocean customers who use GKE, Spot by NetApp has rolled out support of Shielded Nodes to ensure that any node provisioned by Ocean is protected under this functionality.
How does it work? In version 1.18 of GKE, newly created nodes have the configuration for shielded nodes by default. With this configuration, it’s required that the Certificate Signing Request (CSR) of the new nodes is approved. For nodes that are part of a node pool, this approval is taken care of by GKE. When Ocean launches a new virtual machine, the Ocean controller (version 1.0.73 or higher) will take care of validating the added node and approving its CSR.
Ocean users will get this new function right out of the box and can spin up new node and node pools knowing that their pods are secure. For existing node pools, users will need to recreate the launch specifications so Ocean can import these new configurations.
One unfortunate side of effect using shielded nodes is that it prevents the proper operation of Ocean’s shutdown features. When a cluster is configured with shutdown hours and Shielded Nodes is enabled, Ocean is able to shutdown the cluster’s nodes successfully. However, when its time to bring the nodes back online, Ocean isn’t able to resume the nodes because of the additional security protections introduced by the Shielded Node configuration.
Bummer.. what now? No need too fret, there’s a very simple workaround that’ll have you shutting down your Ocean managed nodes in no time!! We’ll cover the workaround in the Shut down hours lab.