Skip to main content

lacework-global-794

Use Container-Optimized OS (cos_containerd) for Google Kubernetes Engine (GKE) node images (Automated)

Description

Use Container-Optimized OS (cos_containerd) as a managed, optimized and hardened base OS that limits the host's attack surface.

Remediation

Using Google Cloud Console:

  1. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
  2. Select the Kubernetes cluster which does not use Container-Optimized OS (COS).
  3. Under the Node pools heading, select the Node Pool that requires alteration.
  4. Click Edit.
  5. Under the Image Type heading click CHANGE.
  6. From the pop-up menu select Container-optimised OS with containerd (cos_containerd) (default) and click CHANGE.
  7. Repeat for any remaining non-compliant Node pools.

Using Command Line:

To set the node image to cos for an existing cluster's Node pool:

gcloud container clusters upgrade <cluster_name> --image-type cos_containerd --zone <compute_zone> --node-pool <node_pool_name>

References

https://cloud.google.com/kubernetes-engine/docs/concepts/using-containerd
https://cloud.google.com/kubernetes-engine/docs/concepts/node-images

Last updated on