Ensure the GKE Cluster alpha cluster feature is disabled
Checks for GCP Kubernetes Engine Clusters that have enabled alpha cluster. It is recommended to not use alpha clusters or alpha features for production workloads.
Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.AS.03
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
GkeCluster should not have enableKubernetesAlpha = true
REMEDIATION
Note : The alpha feature cannot be disabled once it is created.
In order to resolve this alert, create a new cluster with the alpha feature disabled, and then migrate all required cluster data from the cluster with alpha to this newly created cluster, and then delete the engine cluster with alpha enabled.
From Portal
create new Kubernetes engine cluster with the alpha feature disabled:
- Navigate to the 'Kubernetes Engine', and select 'Clusters'
- Create cluster
- Make sure 'Enable Kubernetes alpha features in this cluster is unchecked
Delete the Kubernetes engine cluster with alpha enabled:
- Navigate to the 'Kubernetes Engine', and select 'Clusters'
- Select the Kubernetes cluster with alpha enabled
- Click DELETE
- On 'Delete a cluster' popup dialog, Click DELETE to confirm the deletion of the cluster
From Command Line
To create new Kubernetes engine cluster with the alpha feature disabled, Run:
gcloud container clusters create CLUSTER_NAME --release-channel CHANNEL --zone COMPUTE_ZONE --node-locations COMPUTE_ZONE,COMPUTE_ZONE1
To delete the Kubernetes engine cluster with alpha enabled, Run:
gcloud container clusters delete CLUSTER_NAME
References
- https://cloud.google.com/kubernetes-engine/docs/concepts/alpha-clusters
- https://cloud.google.com/kubernetes-engine/docs/how-to/deleting-a-cluster
- https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-zonal-cluster
Kubernetes Cluster
Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.
Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CloudGuard Best Practices
- GCP CloudGuard CheckUp
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
Updated over 1 year ago