Ensure GCP Kubernetes engine clusters are using Container-Optimized OS for node image

Error: GCP Kubernetes engine clusters are not using Container-Optimized OS for node image

Bridgecrew Policy ID: BC_GCP_KUBERNETES_14
Checkov Check ID: CKV_GCP_22
Severity: LOW

GCP Kubernetes engine clusters are not using Container-Optimized OS for node image

Description

GKE enables users to select the operating system image that runs on each node. You can also upgrade an existing cluster to use a different node image type. GKE supports several OS images using the main container runtime directly integrated with Kubernetes, including cos_containerd and ubuntu_containerd.

We recommend you use cos_containerd and ubuntu_containerd to enhance node security. Containerd is an industry-standard container runtime component that regularly updates security fixes and patches, providing better support, security, and stability than other images.

Fix - Runtime

Gcloud CLI

Use this following command to upgrade the cluster to use the COS image:

gcloud container clusters upgrade --image-type cos cluster-name 

To upgrade a specific node-pool add the flag/argument --node-pool node-pool-name.

Fix - Buildtime

Terraform

Add the image_type argument into the node_config bloc to your google_container_cluster or google_container_node_pool resource:

hcl
    node_config {
      image_type   = "COS"
  }

It should force the cluster to recreate a node following the new configuration.

For further information please follow this link: https://www.terraform.io/docs/providers/google/r/container_cluster.html#image_type