Detections
Analytics

5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Node auto-upgrade keeps nodes at the current Kubernetes and OS security patch level to mitigate known vulnerabilities.

Rationale:

Node auto-upgrade helps you keep the nodes in your cluster or Node pool up to date with the latest stable patch version of Kubernetes as well as the underlying node operating system. Node auto-upgrade uses the same update mechanism as manual node upgrades.

Node pools with node auto-upgrade enabled are automatically scheduled for upgrades when a new stable Kubernetes version becomes available. When the upgrade is performed, the Node pool is upgraded to match the current cluster master version. From a security perspective, this has the benefit of applying security updates automatically to the Kubernetes Engine when security fixes are released.

Impact:

Enabling node auto-upgrade does not cause your nodes to upgrade immediately. Automatic upgrades occur at regular intervals at the discretion of the Kubernetes Engine team.

To prevent upgrades occurring during a peak period for your cluster, you should define a maintenance window. A maintenance window is a four-hour timeframe that you choose in which automatic upgrades should occur. Upgrades can occur on any day of the week, and at any time within the timeframe. To prevent upgrades from occurring during certain dates, you should define a maintenance exclusion. A maintenance exclusion can span multiple days.

Solution

Using Google Cloud Console

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Select Kubernetes clusters for which node auto-upgrade is disabled

Click on the name of the Node pool that requires node auto-repair to be enabled

Within the Node pool details pane click EDIT

Under the 'Management' heading, ensure the 'Enable auto-repair' box is checked.
Click SAVE.

Using Command Line
To enable node auto-upgrade for an existing cluster's Node pool, run the following command:

gcloud container node-pools update [NODE_POOL] \
 --cluster [CLUSTER_NAME] --zone [COMPUTE_ZONE] \
 --enable-autoupgrade

Default Value:

Node auto-upgrade is enabled by default.

Even if a cluster has been created with node auto-repair enabled, this only applies to the default Node pool. Subsequent node pools do not have node auto-upgrade enabled by default.

See Also

https://workbench.cisecurity.org/files/4135

Item Details

References: CSCv7|2.2, CSCv7|3.4, CSCv7|3.5

Plugin: GCP

Control ID: 1094e578c6a07d6b6241c531afa77f702602ccc1e78b7ec6228db00ac0762c34