Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image

Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. With Container-Optimized OS, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely.

Risk Level: High
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.VLN.01
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should have nodePools contain-all [ config.imageType='COS' or config.imageType='COS_CONTAINERD' ]

REMEDIATION

From Portal

  1. Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list
  2. Select the Kubernetes cluster which does not use 'COS' or 'COS_CONTAINERD'
  3. Under the Node pools heading, select the Node Pool that requires alteration
  4. Click EDIT
  5. Under the Image Type heading click CHANGE
  6. From the pop-up menu select Container-Optimized OS with Docker (cos) or Container-Optimized OS with containerd (cos_containerd) (default) and click CHANGE
  7. Repeat for all non-compliant Node pools.

From TF

  1. Update the 'node_config' node with image_type = 'COS' or 'COS_CONTAINERD':
resource "google_container_cluster" "primary" {
	name               = NAME
	location           = LOCATION
	initial_node_count = 3
	...
	node_config {
		image_type = "COS"
		...
	}
}

From Command Line
To update the image type to 'cos' or 'cos_containerd' run:

gcloud container clusters upgrade CLUSTER_NAME --image-type cos --zone COMPUTE_ZONE --node-pool POOL_NAME

References

  1. https://cloud.google.com/kubernetes-engine/docs/concepts/node-images
  2. https://cloud.google.com/container-optimized-os/docs/
  3. https://cloud.google.com/container-optimized-os/docs/concepts/security

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.0.0
  • GCP CloudGuard Best Practices
  • GCP CloudGuard CheckUp
  • GCP MITRE ATT&CK Framework v12.1