5.5.1 Ensure Container-Optimized OS (cos_containerd) is used for GKE node images

Information

Use Container-Optimized OS (cos_containerd) as a managed, optimized and hardened base OS that limits the host's attack surface.

COS is an operating system image for Compute Engine VMs optimized for running containers. With COS, the containers can be brought up on Google Cloud Platform quickly, efficiently, and securely.

Using COS as the node image provides the following benefits:

- Run containers out of the box: COS instances come pre-installed with the container runtime and cloud-init With a COS instance, the container can be brought up at the same time as the VM is created, with no on-host setup required.
- Smaller attack surface: COS has a smaller footprint, reducing the instance's potential attack surface.
- Locked-down by default: COS instances include a locked-down firewall and other security settings by default.

Solution

Using Google Cloud Console:

- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list
- Select the Kubernetes cluster which does not use COS.
- Under the Node pools heading, select the Node Pool that requires alteration.
- Click EDIT
- Under the Image Type heading click CHANGE
- From the pop-up menu select Container-optimised OS with containerd (cos_containerd) (default) and click CHANGE
- Repeat for all non-compliant Node pools.

Using Command Line:

To set the node image to cos for an existing cluster's Node pool:

gcloud container clusters upgrade <cluster_name> --image-type cos_containerd --zone <compute_zone> --node-pool <node_pool_name>

Impact:

If modifying an existing cluster's Node pool to run COS, the upgrade operation used is long-running and will block other operations on the cluster (including delete) until it has run to completion.

COS nodes also provide an option with containerd as the main container runtime directly integrated with Kubernetes instead of docker Thus, on these nodes, Docker cannot view or access containers or images managed by Kubernetes. Applications should not interact with Docker directly. For general troubleshooting or debugging, use crictl instead.

See Also

https://workbench.cisecurity.org/benchmarks/19166

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(5), 800-53|CM-10, CSCv7|5.2

Plugin: GCP

Control ID: c28c368aa1a8e22c87a680292ca30951769f7db8cebaf9ef9d9711b60e88eae2