๐ก๏ธ Google GKE Cluster Node Pool Auto-Upgrade is disabled๐ข
- Contextual name: ๐ก๏ธ Cluster Node Pool Auto-Upgrade is disabled๐ข
- ID:
/ce/ca/google/gke/node-pool-auto-upgrade - Tags:
- ๐ข Policy with categories
- ๐ข Policy with type
- ๐ข Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
RELIABILITY
Logicโ
- ๐ง prod.logic.yaml๐ข
Descriptionโ
Descriptionโ
This policy identifies GKE cluster node pools that have the Auto-Upgrade feature disabled.
Rationaleโ
Node auto-upgrade ensures that nodes in the node pool remain current with the latest stable Kubernetes patch version and the underlying operating system. It uses the same update mechanism as manual node upgrades.
When enabled, node pools are automatically scheduled for upgrades when a new stable Kubernetes version becomes available. During the upgrade, node pools are updated to match the current cluster master version. This provides security benefits by automatically applying critical security patches to the Kubernetes Engine nodes.
Impactโ
Enabling auto-upgrade does not trigger immediate upgrades; automatic upgrades occur at intervals determined by the Kubernetes Engine team.
To minimize disruption during peak usage periods, you can define a maintenance window, which is a four-hour timeframe during which upgrades may occur. Maintenance windows can be scheduled on any day of the week. To block upgrades during specific dates, you can define maintenance exclusions, which may span multiple days.
... see more
Remediationโ
Remediationโ
To ensure GKE cluster nodes remain up-to-date with the latest security patches and features, automatic upgrades should be enabled for node pools.
Before proceeding, confirm with application owners that scheduled upgrades will not disrupt critical workloads.
Enable Auto-Upgrade on an Existing Node Poolโ
From gcloud CLIโ
```sh
gcloud container node-pools update {{node-pool-name}} \
--cluster {{cluster-name}} \
--location {{location}} \
--enable-autoupgrade
```
policy.yamlโ
Linked Framework Sectionsโ
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| ๐ผ CIS GKE v1.8.0 โ ๐ผ 5.5.3 Ensure Node Auto-Upgrade is Enabled for GKE Nodes (Automated) | 1 | no data | |||
| ๐ผ Cloudaware Framework โ ๐ผ Infrastructure Modernization | 16 | no data | |||
| ๐ผ PCI DSS v3.2.1 โ ๐ผ 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. | 5 | 3 | 32 | no data | |
| ๐ผ PCI DSS v4.0.1 โ ๐ผ 2.2.1 Configuration standards are developed, implemented, and maintained. | 13 | no data | |||
| ๐ผ PCI DSS v4.0 โ ๐ผ 2.2.1 Configuration standards are developed, implemented, and maintained. | 13 | no data |