Automate Cluster Version Upgrades using Release Channels

Risk Level: Medium (should be achieved)

To simplify version management and automate Google Kubernetes Engine (GKE) cluster upgrades, subscribe to either the Regular or Stable release channel. These channels provide varying levels of features and stability to suit your needs. For compliance purposes, your GKE clusters must use either the Regular or Stable release channel.

Security

Google Kubernetes Engine (GKE) release channels automatically select cluster versions to provide a balance between new features and stability. Using the Stable or Regular channels ensures this balance while also fulfilling compliance requirements. The Stable channel prioritizes proven reliability with infrequent updates, making it ideal for production environments where stability is paramount. The Regular channel offers more frequent updates with newer features, suitable for those needing access to the latest functionalities, albeit with potentially less real-world validation. Critical security patches are delivered to all GKE release channels.

Audit

To identify the Release Channels configured for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Cluster basics section, check the Release channel attribute value to determine the Release Channel configured for your cluster. If the Release channel is not Regular channel or Stable channel, the Release Channels configuration for the selected Google Kubernetes Engine (GKE) cluster is not compliant.

08 Repeat steps no. 5 – 7 for each GKE cluster provisioned within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS:

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project:

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions:

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter and custom output filters to determine the Release Channel configured for the selected cluster:

gcloud container clusters describe cc-gke-backend-cluster
	--region=us-central1
	--format="value(releaseChannel.channel)"

06 The command output should return the name of the configured Release Channel:

RAPID

If the container clusters describe command output does not return REGULAR or STABLE, the Release Channels configuration for the selected Google Kubernetes Engine (GKE) cluster is not compliant.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To subscribe your Google Kubernetes Engine (GKE) clusters to the Regular or Stable Release Channel, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Cluster basics section, click on the Edit release channel button (i.e., pencil icon) available next to Release channel to change the release channel for the selected cluster.

08 Inside the Change release channel configuration box, select Regular (recommended) or Stable from the Target release channel dropdown list, to subscribe your Google Kubernetes Engine (GKE) cluster to the Regular or Stable Release Channel. The Regular channel will balance feature availability and release stability and the Stable channel will prioritize stability over new features. Choose SAVE CHANGES to apply the changes.

09 Repeat steps no. 5 – 8 for each GKE cluster that you want to configure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to subscribe the selected GKE cluster to the specified, compliant Release Channel. We recommend using either the Regular or Stable channel. The Regular channel balances feature availability with release stability, while the Stable channel prioritizes stability over new features. The following example demonstrates how to subscribe a GKE cluster to the Regular channel:

gcloud container clusters update cc-gke-backend-cluster
	--region=us-central1
	--release-channel regular

02 The command output should return the full URL of the modified GKE cluster:

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
About GKE cluster upgrades
About release channels
Use release channels

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud container clusters list
gcloud container clusters describe
gcloud container clusters update

Publication date Jan 6, 2025

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related GKE rules