Ensure `Automatic node repair` is enabled for Kubernetes Clusters

Kubernetes Engine's node auto-repair feature helps you keep the nodes in your cluster in a healthy, running state. When enabled, Kubernetes Engine makes periodic checks on the health state of each node in your cluster. If a node fails consecutive health checks over an extended time period, Kubernetes Engine initiates a repair process for that node. If you disable node auto-repair at any time during the repair process, the in-progress repairs are not cancelled and still complete for any node currently under repair.

Suggest Edits

Risk Level: Low
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.AS.01
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should have nodePools with [ management.autoRepair=true ]

REMEDIATION

From Portal

  1. Go to the Google Kubernetes Engine page in Cloud Console: https://console.cloud.google.com/kubernetes/list?
  2. In the cluster list, click the name of the cluster you want to modify.
  3. Click the Nodes tab.
  4. Under Node Pools, click the name of the node pool you want to modify.
  5. On the Node pool details page, click Edit.
  6. Under Management, select the Enable auto-repair checkbox.
  7. Click Save.

From TF
Set the 'auto-repair' to be equal to true:

resource "google_container_node_pool" "primary_preemptible_nodes" {
	...
	management{
		auto-repair ="true"
	}
	...
}

From Command Line
Run

gcloud container node-pools update NODE_POOL_NAME --cluster CLUSTER_NAME --zone COMPUTE_ZONE --enable-autorepair

References

  1. https://cloud.google.com/kubernetes-engine/docs/concepts/node-auto-repair
  2. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.0.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5

Updated 7 months ago