Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Container-Optimized OS for GKE Clusters Nodes

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your Google Kubernetes Engine (GKE) cluster nodes use the Container-Optimized OS (cos_containerd), a managed, optimized, and hardened base OS provided by GKE to limit the host's attack surface.

Security

Container runtimes manage container execution and simplify container management for Kubernetes. Among the available options is Container-Optimized OS with containerd (i.e., cos_containerd), an industry-standard runtime supported by Kubernetes and widely adopted. cos_containerd's layered architecture enables advanced GKE features like gVisor and Image Streaming, and it offers improved resource efficiency and security compared to the Docker runtime.

Audit

To determine if your Google Kubernetes Engine (GKE) cluster nodes are using Container-Optimized OS, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the NODES tab to access the node pools created for the selected cluster.

07 Click on the name (link) of the GKE cluster node pool that you want to examine.

08 In the Nodes section, inspect the Image type attribute value. If the Image type value is not Container-Optimized OS with containerd (cos_containerd), the nodes managed by the selected GKE cluster node pool are not using Container-Optimized OS.

09 Repeat steps no. 7 and 8 for each node pool provisioned for the selected GKE cluster.

10 Repeat steps no. 5 – 9 for each GKE cluster provisioned within the selected GCP project.

11 Repeat steps no. 2 – 10 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project: 

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions: 

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container node-pools list command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter, to describe the name of each node pool provisioned for the selected cluster: 

gcloud container node-pools list
	--cluster=cc-gke-backend-cluster
	--region=us-central1
	--format="(NAME)"

06 The command output should return the requested GKE node pool names: 

NAME:
cc-gke-backend-pool-001
cc-gke-backend-pool-002
cc-gke-backend-pool-003

07 Run container node-pools describe command (Windows/macOS/Linux) with the name of the cluster node pool that you want to examine as the identifier parameter and custom output filters to determine the OS image type used by the selected GKE cluster node pool: 

gcloud container node-pools describe cc-gke-backend-pool-001
	--cluster=cc-gke-backend-cluster
	--region=us-central1
	--format="value(config.imageType)"

08 The command output should return the name of the image type used by the selected node pool: 

UBUNTU_CONTAINERD

If the container node-pools describe command output does not return COS_CONTAINERD, the nodes managed by the selected GKE cluster node pool are not using Container-Optimized OS.

09 Repeat step no. 7 and 8 for each node pool provisioned for the selected GKE cluster.

10 Repeat steps no. 5 - 9 for each GKE cluster provisioned for the selected GCP project.

11 Repeat steps no. 3 – 10 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that the Container-Optimized OS (i.e., cos_containerd) is used for your Google Kubernetes Engine (GKE) cluster nodes, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the NODES tab to access the node pools created for the selected cluster.

07 Click on the name (link) of the GKE cluster node pool that you want to configure and choose EDIT.

08 In the Nodes section, under Image type, choose CHANGE to change the OS image type for all the nodes managed by the selected GKE cluster node pool.

09 In the configuration box, select Container-Optimized OS with containerd (cos_containerd) (default) from the Image type dropdown list and choose CHANGE to apply the changes. IMPORTANT: Changing the image type of your node pool will delete and recreate all its nodes, resulting in the restoration of only pods managed by a replication controller, the deletion of boot and local disks, the retention of other persistent disks, and potentially several minutes of cluster downtime during which editing will be impossible.

10 Repeat steps no. 7 - 9 to install Container-Optimized OS for other node pools provisioned within the selected GKE cluster.

11 Repeat steps no. 5 – 10 for each GKE cluster that you want to configure, created for the selected GCP project.

12 Repeat steps no. 2 – 11 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters upgrade command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster node pool that you want to configure as the identifier parameter (i.e., --node-pool parameter), to change the OS image type for all the nodes managed by the selected GKE node pool to Container-Optimized OS: 

gcloud container clusters upgrade cc-gke-backend-cluster
	--region=us-central1
	--node-pool cc-gke-backend-pool-001
	--image-type cos_containerd

02 IMPORTANT: Changing the image type of your node pool will delete and recreate all its nodes, resulting in the restoration of only pods managed by a replication controller, the deletion of boot and local disks, the retention of other persistent disks, and potentially several minutes of cluster downtime during which editing will be impossible. Type Y (Yes) to confirm the changes: 

All nodes in node pool [cc-gke-backend-pool-001] of cluster [cc-gke-backend-cluster] image will change from UBUNTU_CONTAINERD to cos_containerd. This operation is long-running and will block other operations on the cluster (including delete) until it has run to completion.

Do you want to continue (Y/n)?  Y

03 The command output should return the full URL of the modified GKE node pool: 

Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

04 Repeat steps no. 1 - 3 to install Container-Optimized OS for other node pools provisioned for the selected GKE cluster.

05 Repeat steps no. 1 - 4 for each GKE cluster that you want to configure, available within the selected GCP project.

06 Repeat steps no. 1 – 5 for each GCP project deployed in your Google Cloud account.

References

Publication date Jan 7, 2025

Related GKE rules