5.5.1 Ensure Container-Optimized OS (cos_containerd) is used for GKE node images

Information

Use Container-Optimized OS (cos_containerd) as a managed, optimized and hardened base OS that limits the host's attack surface.

Rationale:

COS is an operating system image for Compute Engine VMs optimized for running containers. With COS, you can bring up your containers on Google Cloud Platform quickly, efficiently, and securely.

Using COS as the node image provides the following benefits:

Run containers out of the box: COS instances come pre-installed with the container runtime and cloud-init. With a COS instance, you can bring up your container at the same time you create your VM, with no on-host setup required.

Smaller attack surface: COS has a smaller footprint, reducing your instance's potential attack surface.

Locked-down by default: COS instances include a locked-down firewall and other security settings by default.

Impact:

If modifying an existing cluster's Node pool to run COS, the upgrade operation used is long-running and will block other operations on the cluster (including delete) until it has run to completion.

COS nodes also provide an option with containerd as the main container runtime directly integrated with Kubernetes instead of docker. Thus, on these nodes, Docker cannot view or access containers or images managed by Kubernetes. Your applications should not interact with Docker directly. For general troubleshooting or debugging, use crictl instead.

Solution

Using Google Cloud Console

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Select the Kubernetes cluster which does not use COS

Under the Node pools heading, select the Node Pool that requires alteration

Click EDIT

Under the Image Type heading click CHANGE

From the pop-up menu select Container-Optimized OS (cos_containerd) and click CHANGE

Repeat for all non-compliant Node pools.

Using Command Line
To set the node image to cos for an existing cluster's Node pool:

gcloud container clusters upgrade [CLUSTER_NAME]\
--image-type cos_containerd \
--zone [COMPUTE_ZONE] --node-pool [POOL_NAME]

Default Value:

Container-Optimized OS (cos_containerd) is the default option for a cluster node image.

See Also

https://workbench.cisecurity.org/files/4135