5.10.2 Ensure that Alpha clusters are not used for production workloads

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Alpha clusters are not covered by an SLA and are not production-ready.

Rationale:

Alpha clusters are designed for early adopters to experiment with workloads that take advantage of new features before those features are production-ready. They have all Kubernetes API features enabled, but are not covered by the GKE SLA, do not receive security updates, have node auto-upgrade and node auto-repair disabled, and cannot be upgraded. They are also automatically deleted after 30 days.

Solution

Alpha features cannot be disabled. To remediate, a new cluster must be created.

Using Google Cloud Console

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/

Click CREATE CLUSTER

Unless Node Auto-Upgrade and Node Auto-Repair are disabled, under 'Availability, networking, security, and additional features', the option 'Enable Kubernetes alpha features in this cluster' will not be available. Ensure this feature is not checked

Click CREATE.

Using Command Line:
Upon creating a new cluster

gcloud container clusters create [CLUSTER_NAME] \
--zone [COMPUTE_ZONE]

Do not use the --enable-kubernetes-alpha argument.

Impact:

Users and workloads will not be able to take advantage of features included within Alpha clusters.

Default Value:

By default, Kubernetes Alpha features are disabled.

See Also

https://workbench.cisecurity.org/files/2764