Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Auto-Upgrade for GKE Cluster Nodes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Auto-Upgrade feature is enabled for all the nodes running within your Google Kubernetes Engine (GKE) clusters. This feature helps you keep your cluster nodes up to date with the latest supported version of Kubernetes.

Security
Operational
excellence

Enabling auto-upgrades for your GKE cluster nodes can help ease the upgrade management process by automatically and securely upgrading Kubernetes to the newest supported version in order to take advantage of the latest Kubernetes security fixes and/or new functionalities and features.

Audit

To determine if your Google Kubernetes Engine (GKE) cluster nodes are using automatic upgrades, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Kubernetes Engine (GKE) console at https://console.cloud.google.com/kubernetes.

04 In the main navigation panel, under Kubernetes Engine, select Clusters to access the list with the GKE clusters provisioned within the selected project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the NODES tab to access the node pools created for the selected cluster.

07 Click on the name (link) of the cluster node pool that you want to examine.

08 In the Management section, check the Auto-upgrade feature status. If Auto-upgrade is set to Disabled, the Auto-Upgrade feature is not enabled for the nodes running within the selected Google Kubernetes Engine (GKE) cluster node pool.

09 Repeat steps no. 7 and 8 for each node pool provisioned for the selected GKE cluster.

10 Repeat steps no. 5 – 9 for each GKE cluster created for the selected GCP project.

11 Repeat steps no. 2 – 10 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project ID(s): 

PROJECT_ID
cc-bigdata-project-123123
cc-iot-app-project-112233

03 Run container clusters list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each GKE cluster created for the selected project: 

gcloud container clusters list
  --project cc-bigdata-project-123123
  --format="(NAME,LOCATION)"

04 The command output should return the requested cluster names and their regions: 

NAME                     LOCATION
cc-gke-frontend-cluster  us-central1
cc-gke-backend-cluster   us-central1

05 Run container node-pools list command (Windows/macOS/Linux) using the name of the GKE cluster that you want to examine as the identifier parameter, to describe the name of each node pool provisioned for the selected cluster: 

gcloud container node-pools list
  --cluster=cc-gke-frontend-cluster
  --region=us-central1
  --format="(NAME)"

06 The command output should return the requested cluster node pool name(s): 

NAME
cc-gke-frontend-pool-001
cc-gke-frontend-pool-002
cc-gke-frontend-pool-003

07 Run container node-pools describe command (Windows/macOS/Linux) using the name of the cluster node pool that you want to examine as the identifier parameter and custom output filtering to describe the Auto-Upgrade feature status for the selected node pool: 

gcloud container node-pools describe cc-gke-frontend-pool-001
  --cluster=cc-gke-frontend-cluster
  --region=us-central1
  --format="yaml(management.autoUpgrade)"

08 The command output should return the requested feature status: 

management: {}

If the container node-pools describe command output returns null, or an empty object for the management configuration attribute (i.e. {}), as shown in the output example above, the Auto-Upgrade feature is not enabled for the nodes provisioned within the selected Google Kubernetes Engine (GKE) cluster node pool.

09 Repeat step no. 7 and 8 for each node pool provisioned for the selected GKE cluster.

10 Repeat steps no. 5 – 9 for each GKE cluster created for the selected GCP project.

11 Repeat steps no. 3 – 10 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable Auto-Upgrade feature for your Google Kubernetes Engine (GKE) cluster nodes, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Kubernetes Engine (GKE) console at https://console.cloud.google.com/kubernetes.

04 In the main navigation panel, under Kubernetes Engine, select Clusters to access the list with the GKE clusters provisioned within the selected project.

05 Click on the name (link) of the GKE cluster that you want to access.

06 Select the NODES tab to access the node pools created for the selected cluster.

07 Click on the name (link) of the cluster node pool that you want to reconfigure.

08 Choose EDIT from the console top menu to modify the configuration settings available for the selected node pool.

09 On the Edit node pool configuration page, perform the following operations:

  1. In the Management section, select the Enable auto-upgrade checkbox to enable the Auto-Upgrade feature for the selected GKE cluster node pool.
  2. Choose SAVE to apply the changes.

10 Repeat steps no. 7 – 9 to enable Auto-Upgrade for other node pools provisioned for the selected GKE cluster.

11 Repeat steps no. 5 – 10 for each GKE cluster created for the selected GCP project.

12 Repeat steps no. 2 – 11 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run container node-pools update command (Windows/macOS/Linux) using the name of the GKE cluster node pool that you want to reconfigure as the identifier parameter, to enable the Auto-Upgrade feature for the selected node pool: 

gcloud container node-pools update cc-gke-frontend-pool-001
  --cluster=cc-gke-frontend-cluster
  --region=us-central1
  --enable-autoupgrade

02 The command output should return the URL of the reconfigured GKE cluster node pool: 

Updating node pool cc-gke-frontend-pool-001...done.
Updated [https://container.googleapis.com/v1/projects/cc-bigdata-project-123123/zones/us-central1/clusters/cc-gke-frontend-cluster/nodePools/cc-gke-frontend-pool-001].

03 Repeat steps no. 1 and 2 to enable Auto-Upgrade for other node pools created for the selected GKE cluster.

04 Repeat steps no. 1 – 3 for each GKE cluster available for the selected GCP project.

05 Repeat steps no. 1 – 4 for each project deployed within your Google Cloud account.

References

Publication date May 10, 2021

Related GKE rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Auto-Upgrade for GKE Cluster Nodes

Risk Level: Medium