lacework-global-802
Consider Google Kubernetes Engine (GKE) Sandbox for running untrusted workloads (Automated)
Description
Use GKE Sandbox to restrict untrusted workloads as an additional layer of protection when running in a multi-tenant environment.
Remediation
After creating a node pool, it is not possible to enable GKE Sandbox, rather you must create a new node pool.
The default node pool (the first node pool in the cluster, created during cluster creation) cannot use GKE Sandbox.
Using Google Cloud Console:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/.
- Select a cluster and click
Add Node Pool
. - Configure the Node pool with following settings:
- For the
node version
, select v1.12.6-gke.8 or higher. - For the
node image
, selectContainer-Optimized OS with Containerd (cos_containerd) (default)
. - Under
Security
, selectEnable sandbox with gVisor
.
- For the
- Configure other Node pool settings as required.
- Click
CREATE
.
Using Command Line:
To enable GKE Sandbox on an existing cluster, you must create a new node pool, which you can do using:
gcloud container node-pools create <node_pool_name> --zone <compute_zone> --cluster <cluster_name> --image-type=cos_containerd --sandbox="type=gvisor"
References
https://cloud.google.com/kubernetes-engine/docs/concepts/sandbox-pods
https://cloud.google.com/kubernetes-engine/docs/concepts/node-pools
https://cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods
Additional Information
When using GKE Sandbox, the cluster must have at least two node pools. There must always be at least one node pool with GKE Sandbox disabled. This node pool must contain at least one node.
It is optional but recommended to enable Stackdriver Logging and Stackdriver Monitoring by adding the flag --enable-stackdriver-kubernetes
. This logs gVisor messages.