5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes

Information

Node auto-upgrade keeps nodes at the current Kubernetes and OS security patch level to mitigate known vulnerabilities.

Node auto-upgrade helps you keep the nodes in the cluster or node pool up to date with the latest stable patch version of Kubernetes as well as the underlying node operating system. Node auto-upgrade uses the same update mechanism as manual node upgrades.

Node pools with node auto-upgrade enabled are automatically scheduled for upgrades when a new stable Kubernetes version becomes available. When the upgrade is performed, the Node pool is upgraded to match the current cluster master version. From a security perspective, this has the benefit of applying security updates automatically to the Kubernetes Engine when security fixes are released.

Solution

Using Google Cloud Console

- Go to Kubernetes Engine by visiting:

https://console.cloud.google.com/kubernetes/list

- Select the Kubernetes cluster containing the node pool for which auto-upgrade disabled.
- Select the Node pool by clicking on the name of the pool.
- Navigate to the Node pool details pane and click EDIT
- Under the Management heading, check the Enable auto-repair box.
- Click SAVE
- Repeat steps 2-6 for every cluster and node pool with auto-upgrade disabled.

Using Command Line

To enable node auto-upgrade for an existing cluster's Node pool, run the following command:

gcloud container node-pools update <node_pool_name> --cluster <cluster_name> --zone <cluster_zone> --enable-autoupgrade

Impact:

Enabling node auto-upgrade does not cause the nodes to upgrade immediately. Automatic upgrades occur at regular intervals at the discretion of the Kubernetes Engine team.

To prevent upgrades occurring during a peak period for the cluster, a maintenance window should be defined. A maintenance window is a four-hour timeframe that can be chosen, during which automatic upgrades should occur. Upgrades can occur on any day of the week, and at any time within the timeframe. To prevent upgrades from occurring during certain dates, a maintenance exclusion should be defined. A maintenance exclusion can span multiple days.

See Also

https://workbench.cisecurity.org/benchmarks/19166

Item Details

Category: RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|RA-5, 800-53|SI-2, 800-53|SI-2(2), CSCv7|2.2, CSCv7|3.4, CSCv7|3.5

Plugin: GCP

Control ID: eaa8af24ec6c46fec0882a8372e046f5fc742828a2a1b5a085bb2a172ee57c98