Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - GKE 1.2.0 > Managed Services >

Node Configuration and Maintenance

N/A
Source
Kube Bench
ID
5.5
Version
gke-1.2.0

5.5 Node Configuration and Maintenance

5.5.1 Ensure Container-Optimized OS (COS) is used for GKE node images (Automated)

Using Command Line: To set the node image to cos for an existing cluster’s Node pool:

gcloud container clusters upgrade [CLUSTER_NAME]\
  --image-type cos \
  --zone [COMPUTE_ZONE] --node-pool [POOL_NAME]

5.5.2 Ensure Node Auto-Repair is enabled for GKE nodes (Automated)

Using Command Line: To enable node auto-repair for an existing cluster with Node pool, run the following command:

gcloud container node-pools update [POOL_NAME] \
  --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \
  --enable-autorepair

5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes (Automated)

Using Command Line: To enable node auto-upgrade for an existing cluster’s Node pool, run the following command:

gcloud container node-pools update [NODE_POOL] \
  --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \
  --enable-autoupgrade

5.5.4 Automate GKE version management using Release Channels (Manual)

Using Command Line: Create a new cluster by running the following command:

gcloud beta container clusters create [CLUSTER_NAME] \
  --zone [COMPUTE_ZONE] \
  --release-channel [RELEASE_CHANNEL]

where [RELEASE_CHANNEL] is stable or regular according to your needs.

5.5.5 Ensure Shielded GKE Nodes are Enabled (Manual)

Using Command Line: To create a Node pool within the cluster with Integrity Monitoring enabled, run the following command:

gcloud beta container node-pools create [NODEPOOL_NAME] \
  --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \
  --shielded-integrity-monitoring

You will also need to migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.

5.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled (Automated)

Using Command Line: To create a Node pool within the cluster with Integrity Monitoring enabled, run the following command:

gcloud beta container node-pools create [NODEPOOL_NAME] \
  --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \
  --shielded-integrity-monitoring

You will also need to migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.

5.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled (Automated)

Using Command Line: To create a Node pool within the cluster with Secure Boot enabled, run the following command:

gcloud beta container node-pools create [NODEPOOL_NAME] \
  --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \
  --shielded-secure-boot

You will also need to migrate workloads from existing non-conforming Node pools to the newly created Node pool, then delete the non-conforming pools.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use