Detections
Analytics
5.5.4 When creating New Clusters - Automate GKE version management using Release Channels
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Subscribe to the Regular or Stable Release Channel to automate version upgrades to the GKE cluster and to reduce version management complexity to the number of features and level of stability required.Rationale:
Release Channels signal a graduating level of stability and production-readiness. These are based on observed performance of GKE clusters running that version and represent experience and confidence in the cluster version.
The Regular release channel upgrades every few weeks and is for production users who need features not yet offered in the Stable channel. These versions have passed internal validation, but don't have enough historical data to guarantee their stability. Known issues generally have known workarounds.
The Stable release channel upgrades every few months and is for production users who need stability above all else, and for whom frequent upgrades are too risky. These versions have passed internal validation and have been shown to be stable and reliable in production, based on the observed performance of those clusters.
Critical security patches are delivered to all release channels.
Impact:
Once release channels are enabled on a cluster, they cannot be disabled. To stop using release channels, you must recreate the cluster without the --release-channel flag.
Node auto-upgrade is enabled (and cannot be disabled), so your cluster is updated automatically from releases available in the chosen release channel.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Currently, cluster Release Channels are only configurable at cluster provisioning time.Using Google Cloud Console
Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list
Click CREATE CLUSTER
Under the 'Master Version' heading, click the 'Use Release Channels' button
Select the 'Regular' or 'Stable' channels from the 'Release Channel' drop down menu
Configure the rest of the cluster settings as desired
Click CREATE.
Using Command Line
Create a new cluster by running the following command:
gcloud beta container clusters create [CLUSTER_NAME] \
--zone [COMPUTE_ZONE] \
--release-channel [RELEASE_CHANNEL]
where [RELEASE_CHANNEL] is stable or regular according to your needs.
Default Value:
Currently, release channels are not enabled by default.
See Also
Item Details
Audit Name: CIS Google Kubernetes Engine (GKE) v1.3.0 L1
References: CSCv7|3.4, CSCv7|3.5
Plugin: GCP
Control ID: a9c5438a1cf984b858307746a14a894646fd4ccdb5ae346ba006f4624d444abe