GoogleCloudPlatform · SergeyKanzhelev · Apr 30, 2026 · Apr 30, 2026
diff --git a/disable-algif-aead/cos-disable-algif-aead.yaml b/disable-algif-aead/cos-disable-algif-aead.yaml
@@ -0,0 +1,104 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Deploy this DaemonSet to disable usage of AEAD in AF_ALG sockets.
+#
+# WARNING: This requires node reboot. Therefore, in order to
+# avoid disrupting your workloads, it is recommended to create a new node pool
+# with the "cloud.google.com/gke-algif-aead-disabled=true" label in your
+# cluster, deploy the DaemonSet to apply settings in that node pool, and then
+# migrate your workloads to the new node pool.
+
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: disable-algif-aead
+spec:
+  selector:
+    matchLabels:
+      name: disable-algif-aead
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        name: disable-algif-aead
+    spec:
+      volumes:
+      - name: host
+        hostPath:
+          path: /
+      initContainers:
+      - name: disable-algif-aead
+        image: marketplace.gcr.io/google/ubuntu2404
+        securityContext:
+          privileged: true
+        resources:
+          requests:
+            memory: 5Mi
+            cpu: 5m
+        volumeMounts:
+        - name: host
+          mountPath: /host
+        command:
+        - /bin/bash
+        - -c
+        - |
+          set -o errexit
+          set -o pipefail
+          set -o nounset
+
+          function check_not_secure_boot() {
+            if [[ ! -d "/sys/firmware/efi" ]]; then
+              return
+            fi
+            efi="$(mktemp -d)"
+            mount -t efivarfs none "${efi}"
+            secure_boot="$(cat "${efi}"/SecureBoot-* | chroot /host python -c 'import sys; print(sys.stdin.buffer.read() == b"\x06\x00\x00\x00\x01")')"
+            umount "${efi}"
+            rmdir "${efi}"
+            if [[ "${secure_boot}" == "True" ]]; then
+              echo "Secure Boot is enabled. Boot options cannot be changed."
+              exit 1
+            fi
+          }
+
+          function main() {
+            if grep " initcall_blacklist=algif_aead_init " /proc/cmdline > /dev/null; then
+              echo "'initcall_blacklist=algif_aead_init' already present on the kernel command line. Nothing to do."
+              return
+            fi
+            echo "Attempting to set 'initcall_blacklist=algif_aead_init' on the kernel command line."
+            if [[ "${EUID}" -ne 0 ]]; then
+              echo "This script must be run as root."
+              return 1
+            fi
+            check_not_secure_boot
+
+            dir="$(mktemp -d)"
+            mount /host/dev/disk/by-partlabel/EFI-SYSTEM "${dir}"
+            sed -i -e "s|cros_efi|cros_efi initcall_blacklist=algif_aead_init|g" "${dir}/efi/boot/grub.cfg"
+            umount "${dir}"
+            rmdir "${dir}"
+            echo "Rebooting."
+            chroot /host reboot
+          }
+
+          main
+      containers:
+      - image: gke.gcr.io/pause:3.7
+        name: pause
+      nodeSelector:
+        "cloud.google.com/gke-algif-aead-disabled": "true"
+        "cloud.google.com/gke-os-distribution": "cos"