5.5.4 When creating New Clusters - Automate GKE version management using Release Channels

Information

Subscribe to the Regular or Stable Release Channel to automate version upgrades to the GKE cluster and to reduce version management complexity to the number of features and level of stability required.

Release Channels signal a graduating level of stability and production-readiness. These are based on observed performance of GKE clusters running that version and represent experience and confidence in the cluster version.

The Regular release channel upgrades every few weeks and is for production users who need features not yet offered in the Stable channel. These versions have passed internal validation, but don't have enough historical data to guarantee their stability. Known issues generally have known workarounds.

The Stable release channel upgrades every few months and is for production users who need stability above all else, and for whom frequent upgrades are too risky. These versions have passed internal validation and have been shown to be stable and reliable in production, based on the observed performance of those clusters.

Critical security patches are delivered to all release channels.

Solution

Currently, cluster Release Channels are only configurable at cluster provisioning time.

Using Google Cloud Console:

- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list
- Click CREATE and choose CONFIGURE for the required cluster mode.
- Under the Control plane version heading, click the Release Channels button.
- Select the Regular or Stable channels from the Release Channel drop-down menu.
- Configure the rest of the cluster settings as required.
- Click CREATE

Using Command Line:Create a new cluster by running the following command:

gcloud container clusters create <cluster_name> --zone <cluster_zone> --release-channel <release_channel>

where <release_channel> is stable or regular according to requirements.

Impact:

Once release channels are enabled on a cluster, they cannot be disabled. To stop using release channels, the cluster must be recreated without the --release-channel flag.

Node auto-upgrade is enabled (and cannot be disabled), so the cluster is updated automatically from releases available in the chosen release channel.

See Also

https://workbench.cisecurity.org/benchmarks/19166

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|3.4, CSCv7|3.5

Plugin: GCP

Control ID: a3bef193a064a6cf44cac7881a89b68d432b08f19a5c3cf46c42a1bea4c4145b