🛡️ Google GKE Cluster Alpha cluster features are enabled🟢

• Contextual name: 🛡️ Cluster Alpha cluster features are enabled🟢
• ID: /ce/ca/google/gke/alpha-cluster
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Google GKE Cluster
  • 🔌 Google GKE Cluster - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

This policy identifies Google Kubernetes Engine (GKE) clusters that are configured to use alpha features. Alpha clusters provide early access to experimental Kubernetes functionality prior to general availability.

Rationale

Alpha clusters are intended solely for testing and experimentation. They enable all Kubernetes API features but come with significant limitations: they are excluded from the GKE service-level agreement (SLA), do not receive security patches, have node auto-upgrade and auto-repair disabled, and cannot be upgraded. Additionally, alpha clusters are automatically deleted after 30 days. As a result, they are not suitable for production workloads.

Audit

This policy marks a Google GKE Cluster as INCOMPLIANT if Kubernetes Alpha is set to ENABLED.

Remediation

Open File

Remediation

Before proceeding, ensure that the cluster is not actively used for production workloads. Alpha features cannot be disabled on an existing cluster; remediation requires creating a new cluster without alpha features and migrating workloads as needed.

Create a New Cluster Without Alpha Features

From gcloud CLI

1. Do not include the --enable-kubernetes-alpha flag when creating the cluster

   gcloud container clusters create {{cluster-name}} \
       --location {{location}} \
       --machine-type {{machine-type}} \
       --num-nodes {{node-count}}

   Adjust other flags (e.g., region, node pool size, network settings) to match your workload requirements.

2. Migrate workloads to the new cluster

   Reconfigure your deployments and services to target the newly created cluster. Update your kubeconfig to point to the new cluster.

3. Validate workloads and configurations

   • Ensure applications are running as expected in the new cluster.
   • Confirm monitoring, logging, and networking rules are correctly applied.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS GKE v1.8.0 → 💼 5.10.2 Ensure that Alpha clusters are not used for production workloads (Automated)			1		no data
💼 Cloudaware Framework → 💼 System Configuration			45		no data