Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Auto-Upgrade for GKE Cluster Nodes

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: GKE-006

Ensure that the Auto-Upgrade feature is enabled for all the nodes running within your Google Kubernetes Engine (GKE) clusters. This feature helps you keep your cluster nodes up to date with the latest supported version of Kubernetes.

Security
Operational
excellence

Enabling auto-upgrades for your GKE cluster nodes can help ease the upgrade management process by automatically and securely upgrading Kubernetes to the newest supported version in order to take advantage of the latest Kubernetes security fixes and/or new functionalities and features.

Audit

To determine if your Google Kubernetes Engine (GKE) cluster nodes are using automatic upgrades, perform the following actions:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the GCP project that you want to examine from the console top navigation bar.

  3. Navigate to Google Kubernetes Engine (GKE) console at https://console.cloud.google.com/kubernetes.

  4. In the main navigation panel, under Kubernetes Engine, select Clusters to access the list with the GKE clusters provisioned within the selected project.

  5. Click on the name (link) of the GKE cluster that you want to examine.

  6. Select the NODES tab to access the node pools created for the selected cluster.

  7. Click on the name (link) of the cluster node pool that you want to examine.

  8. In the Management section, check the Auto-upgrade feature status. If Auto-upgrade is set to Disabled, the Auto-Upgrade feature is not enabled for the nodes running within the selected Google Kubernetes Engine (GKE) cluster node pool.

  9. Repeat steps no. 7 and 8 for each node pool provisioned for the selected GKE cluster.

  10. Repeat steps no. 5 – 9 for each GKE cluster created for the selected GCP project.

  11. Repeat steps no. 2 – 10 for each project deployed within your Google Cloud account.

Using GCP CLI

  1. Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account:

    gcloud projects list
				--format="table(projectId)"

  2. The command output should return the requested GCP project ID(s):

    PROJECT_ID
cc-bigdata-project-123123
cc-iot-app-project-112233

  3. Run container clusters list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and the region of each GKE cluster created for the selected project:

    gcloud container clusters list
				--project cc-bigdata-project-123123
				--format="(NAME,LOCATION)"

  4. The command output should return the requested cluster names and their regions:

    NAME                     LOCATION
cc-gke-frontend-cluster  us-central1
cc-gke-backend-cluster   us-central1

  5. Run container node-pools list command (Windows/macOS/Linux) using the name of the GKE cluster that you want to examine as the identifier parameter, to describe the name of each node pool provisioned for the selected cluster:

    gcloud container node-pools list
				--cluster=cc-gke-frontend-cluster
				--region=us-central1
				--format="(NAME)"

  6. The command output should return the requested cluster node pool name(s):

    NAME
cc-gke-frontend-pool-001
cc-gke-frontend-pool-002
cc-gke-frontend-pool-003

  7. Run container node-pools describe command (Windows/macOS/Linux) using the name of the cluster node pool that you want to examine as the identifier parameter and custom output filtering to describe the Auto-Upgrade feature status for the selected node pool:

    gcloud container node-pools describe cc-gke-frontend-pool-001
				--cluster=cc-gke-frontend-cluster
				--region=us-central1
				--format="yaml(management.autoUpgrade)"

  8. The command output should return the requested feature status:

    management: {}

    If the container node-pools describe command output returns null, or an empty object for the management configuration attribute (i.e. {}), as shown in the output example above, the Auto-Upgrade feature is not enabled for the nodes provisioned within the selected Google Kubernetes Engine (GKE) cluster node pool.

  9. Repeat step no. 7 and 8 for each node pool provisioned for the selected GKE cluster.

  10. Repeat steps no. 5 – 9 for each GKE cluster created for the selected GCP project.

  11. Repeat steps no. 3 – 10 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable Auto-Upgrade feature for your Google Kubernetes Engine (GKE) cluster nodes, perform the following actions:

Using GCP Console

  1. Sign in to the Google Cloud Management Console.

  2. Select the GCP project that you want to examine from the console top navigation bar.

  3. Navigate to Google Kubernetes Engine (GKE) console at https://console.cloud.google.com/kubernetes.

  4. In the main navigation panel, under Kubernetes Engine, select Clusters to access the list with the GKE clusters provisioned within the selected project.

  5. Click on the name (link) of the GKE cluster that you want to access.

  6. Select the NODES tab to access the node pools created for the selected cluster.

  7. Click on the name (link) of the cluster node pool that you want to reconfigure.

  8. Choose EDIT from the console top menu to modify the configuration settings available for the selected node pool.

  9. On the Edit node pool configuration page, perform the following operations:

    1. In the Management section, select the Enable auto-upgrade checkbox to enable the Auto-Upgrade feature for the selected GKE cluster node pool.
    2. Choose SAVE to apply the changes.

  10. Repeat steps no. 7 – 9 to enable Auto-Upgrade for other node pools provisioned for the selected GKE cluster.

  11. Repeat steps no. 5 – 10 for each GKE cluster created for the selected GCP project.

  12. Repeat steps no. 2 – 11 for each project deployed within your Google Cloud account.

Using GCP CLI

  1. Run container node-pools update command (Windows/macOS/Linux) using the name of the GKE cluster node pool that you want to reconfigure as the identifier parameter, to enable the Auto-Upgrade feature for the selected node pool:

    gcloud container node-pools update cc-gke-frontend-pool-001
				--cluster=cc-gke-frontend-cluster
				--region=us-central1
				--enable-autoupgrade

  2. The command output should return the URL of the reconfigured GKE cluster node pool:

    Updating node pool cc-gke-frontend-pool-001...done.
Updated [https://container.googleapis.com/v1/projects/cc-bigdata-project-123123/zones/us-central1/clusters/cc-gke-frontend-cluster/nodePools/cc-gke-frontend-pool-001].

  3. Repeat steps no. 1 and 2 to enable Auto-Upgrade for other node pools created for the selected GKE cluster.

  4. Repeat steps no. 1 – 3 for each GKE cluster available for the selected GCP project.

  5. Repeat steps no. 1 – 4 for each project deployed within your Google Cloud account.

References

Publication date May 10, 2021

Related GKE rules