Detections
Analytics

5.5.4 When creating New Clusters - Automate GKE version management using Release Channels

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Subscribe to the Regular or Stable Release Channel to automate version upgrades to the GKE cluster and to reduce version management complexity to the number of features and level of stability required.

Rationale:

Release Channels signal a graduating level of stability and production-readiness. These are based on observed performance of GKE clusters running that version and represent experience and confidence in the cluster version.

The Regular release channel upgrades every few weeks and is for production users who need features not yet offered in the Stable channel. These versions have passed internal validation, but don't have enough historical data to guarantee their stability. Known issues generally have known workarounds.

The Stable release channel upgrades every few months and is for production users who need stability above all else, and for whom frequent upgrades are too risky. These versions have passed internal validation and have been shown to be stable and reliable in production, based on the observed performance of those clusters.

Critical security patches are delivered to all release channels.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Currently, cluster Release Channels are only configurable at cluster provisioning time.

Using Google Cloud Console

Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list

Click CREATE CLUSTER

Under the 'Master Version' heading, click the 'Use Release Channels' button

Select the 'Regular' or 'Stable' channels from the 'Release Channel' drop down menu

Configure the rest of the cluster settings as desired

Click CREATE.

Using Command Line

Create a new cluster by running the following command:

gcloud beta container clusters create [CLUSTER_NAME] \
 --zone [COMPUTE_ZONE] \
 --release-channel [RELEASE_CHANNEL]

where [RELEASE_CHANNEL] is stable or regular according to your needs.

Impact:

Once release channels are enabled on a cluster, they cannot be disabled. To stop using release channels, you must recreate the cluster without the --release-channel flag.

Node auto-upgrade is enabled (and cannot be disabled), so your cluster is updated automatically from releases available in the chosen release channel.

Default Value:

Currently, release channels are not enabled by default.

See Also

https://workbench.cisecurity.org/files/2764

Item Details

References: CSCv7|3.4, CSCv7|3.5

Plugin: GCP

Control ID: af860dd7e1083349854c7b52c76d04dbae379f685e5e51788008ef8587b0d012