More Info:

GKE cluster should schedule maintenance windows and exclusions to upgrade predictability and to align updates with off-peak business hours.

Risk Level

Medium

Address

Security, Reliability, Performance Efficiency

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the “Schedule Maintenance Windows and Exclusions” misconfiguration in GCP using GCP console, follow these steps:
  1. Go to the GCP Console and navigate to the Compute Engine page.
  2. Select the VM instance that you want to remediate.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “Maintenance” section.
  5. Click on the “Edit” button next to “Maintenance window.”
  6. Set a maintenance window for the VM instance. This can be done by selecting a day and time range that works for you.
  7. Click on the “Save” button to save your changes.
  8. Scroll down to the “Exclusion” section.
  9. Click on the “Add Exclusion” button.
  10. In the “Exclusion” dialog box, select the type of exclusion you want to create. You can choose between “Instance”, “Disks”, and “Snapshots”.
  11. Set the parameters for the exclusion. For example, if you want to exclude a disk from maintenance, you can select the disk from the drop-down menu and set the exclusion period.
  12. Click on the “Save” button to save your exclusion.
  13. Repeat steps 9-12 for any additional exclusions you want to create.
  14. Click on the “Save” button at the bottom of the page to save your changes.
By following these steps, you will have remediated the “Schedule Maintenance Windows and Exclusions” misconfiguration for the selected VM instance in GCP.

To remediate the misconfiguration of not scheduling maintenance windows and exclusions in GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in your GCP console.
  2. Run the following command to set up the default project for the Cloud Shell session: 
gcloud config set project [PROJECT_ID]
Replace [PROJECT_ID] with the ID of your GCP project.
  1. Run the following command to create a maintenance policy for your GCP project:
gcloud alpha resource-manager org-policies set-policy maintenance-window \
--project=[PROJECT_ID] \
--policy-file=maintenance-policy.yaml
This command creates a maintenance policy for your GCP project, using the policy file maintenance-policy.yaml. You can modify this file to set up your desired maintenance window and exclusions.
  1. Edit the maintenance-policy.yaml file to specify your desired maintenance window and exclusions. For example:
constraint: constraints/compute.maintenanceWindows
listPolicy:
  allow: [
    "Monday:03:00",
    "Tuesday:08:00",
    "Wednesday:15:00",
    "Thursday:20:00",
    "Friday:12:00"
  ]
  deny: [
    "2022-01-01T00:00:00Z/2022-01-01T01:00:00Z",
    "2022-12-25T00:00:00Z/2022-12-25T23:59:59Z"
  ]
This example sets a maintenance window for Monday at 3:00 AM, Tuesday at 8:00 AM, Wednesday at 3:00 PM, Thursday at 8:00 PM, and Friday at 12:00 PM. It also sets exclusions for January 1st, 2022 from 12:00 AM to 1:00 AM and for December 25th, 2022 for the entire day.
  1. Save the maintenance-policy.yaml file.
  2. Run the following command to update the maintenance policy for your GCP project: 
gcloud alpha resource-manager org-policies set-policy maintenance-window \
--project=[PROJECT_ID] \
--policy-file=maintenance-policy.yaml
This command updates the maintenance policy for your GCP project with your desired maintenance window and exclusions.
  1. Verify that the maintenance policy has been updated by running the following command:
gcloud alpha resource-manager org-policies describe maintenance-window \
--project=[PROJECT_ID]
This command displays the current maintenance policy for your GCP project.By following these steps, you can remediate the misconfiguration of not scheduling maintenance windows and exclusions in GCP using GCP CLI.
To remediate the “Schedule Maintenance Windows And Exclusions” misconfiguration in GCP using Python, you can follow the below steps:
  1. First, you need to enable the Compute Engine API in your GCP project. You can do this by navigating to the APIs & Services page in the GCP console and searching for “Compute Engine API”. Once you find it, click on the “Enable” button.
  2. Next, you need to install the Google Cloud SDK and the Python client library for Compute Engine. You can do this by following the instructions in the GCP documentation.
  3. Once you have installed the necessary tools, you can use the following Python code to create a maintenance window for a specific instance: 
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()

compute = discovery.build('compute', 'v1', credentials=credentials)

project = 'my-project'
zone = 'us-central1-a'
instance = 'my-instance'
start_time = '2022-01-01T00:00:00Z'
end_time = '2022-01-02T00:00:00Z'

body = {
    'name': 'maintenance-window',
    'description': 'Scheduled maintenance window',
    'start_time': start_time,
    'end_time': end_time
}

response = compute.instances().setMaintenancePolicy(
    project=project,
    zone=zone,
    instance=instance,
    body=body
).execute()

print(response)
In the above code, you need to replace the project, zone, instance, start_time, and end_time variables with your own values. This will create a maintenance window for the specified instance.
  1. To exclude an instance from all maintenance windows, you can use the following Python code:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

credentials = GoogleCredentials.get_application_default()

compute = discovery.build('compute', 'v1', credentials=credentials)

project = 'my-project'
zone = 'us-central1-a'
instance = 'my-instance'

body = {
    'exclusion': {
        'name': 'exclusion',
        'description': 'Exclude instance from all maintenance windows',
        'instanceFilters': {
            'instances': [
                'zones/{}/instances/{}'.format(zone, instance)
            ]
        }
    }
}

response = compute.projects().zones().instances().addMaintenancePolicies(
    project=project,
    zone=zone,
    body=body
).execute()

print(response)
In the above code, you need to replace the project, zone, and instance variables with your own values. This will exclude the specified instance from all maintenance windows.By following the above steps, you can remediate the “Schedule Maintenance Windows And Exclusions” misconfiguration in GCP using Python.