Home > Enterprise >  How to patch GKE Managed Instance Groups (Node Pools) for package security updates?
How to patch GKE Managed Instance Groups (Node Pools) for package security updates?

Time:01-11

I have a GKE cluster running multiple nodes across two zones. My goal is to have a job scheduled to run once a week to run sudo apt-get upgrade to update the system packages. Doing some research I found that GCP provides a tool called "OS patch management" that does exactly that. I tried to use it but the Patch Job execution raised an error informing

Failure reason: Instance is part of a Managed Instance Group.

I also noticed that during the creation of the GKE Node pool, there is an option for enabling "Auto upgrade". But according to its description, it will only upgrade the version of the Kubernetes.

CodePudding user response:

According to the Blog Exploring container security: the shared responsibility model in GKE:

For GKE, at a high level, we are responsible for protecting:

  • The nodes’ operating system, such as Container-Optimized OS (COS) or Ubuntu. GKE promptly makes any patches to these images available. If you have auto-upgrade enabled, these are automatically deployed. This is the base layer of your container—it’s not the same as the operating system running in your containers.

Conversely, you are responsible for protecting:

  • The nodes that run your workloads. You are responsible for any extra software installed on the nodes, or configuration changes made to the default. You are also responsible for keeping your nodes updated. We provide hardened VM images and configurations by default, manage the containers that are necessary to run GKE, and provide patches for your OS—you’re just responsible for upgrading. If you use node auto-upgrade, it moves the responsibility of upgrading these nodes back to us.

The node auto-upgrade feature DOES patch the OS of your nodes, it does not just upgrade the Kubernetes version.

CodePudding user response:

OS Patch Management only works for GCE VM's. Not for GKE

You should refrain from doing OS level upgrades in GKE, that could cause some unexpected behavior (maybe a package get's upgraded and changes something that will mess up the GKE configuration).

You should let GKE auto-upgrade the OS and Kubernetes. Auto-upgrade will upgrade the OS as GKE releases are inter-twined with the OS release.

One easy way to go is to signup your clusters to release channels, this way they get upgraded as often as you want (depending on the channel) and your OS will be patched regularly.

Also you can follow the GKE hardening guide which provide you with step to make sure your GKE clusters are as secured as possible

Page link:https//www.codepudding.com/Enterprise/258102.html

Prev:Image processing after edge detect in opencv
Next:Enabling exception translation for JPA in plain Spring
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding