More Info:

GKE cluster should be proactively receive updates about GKE upgrades and GKE versions

Risk Level

Low

Address

Security, Reliability, Operational Excellence, Performance Efficiency

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Upgrades and Updates Should Be Enabled” in GCP, follow the steps below:
  1. Open the GCP console and navigate to the project that has the misconfiguration.
  2. Click on the hamburger menu on the top left corner and select “Compute Engine”.
  3. Click on “VM instances” to view all the virtual machine instances in the project.
  4. For each virtual machine instance, click on the instance name to view its details.
  5. Click on the “Edit” button at the top of the page.
  6. Scroll down to the “Management” section and check the box next to “Automatic restart”.
  7. Check the box next to “Enable guest environment”.
  8. Under “OS patch management”, select “On” for “Enable OS patch management”.
  9. Click on “Save” to apply the changes.
Repeat steps 4-9 for each virtual machine instance in the project to ensure that all instances have the upgrades and updates enabled. This will ensure that the virtual machines receive the latest security updates and patches.

To remediate the misconfiguration “Upgrades and Updates Should Be Enabled” for GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell by clicking on the icon in the top right corner of the GCP console.
  2. Run the following command to enable automatic updates for all the VM instances in your project: 
gcloud compute project-info add-metadata \
    --metadata=enable-osconfig=true
  1. Verify that the metadata is added to the project by running the following command:
gcloud compute project-info describe --format="value(commonInstanceMetadata.items.filter(key:enable-osconfig))"
This command should return true, indicating that automatic updates are enabled.
  1. If you have existing instances that were created before enabling automatic updates, you can manually enable automatic updates on those instances by following these steps:
  • Stop the instance
  • Edit the instance settings
  • Add the following metadata key-value pair: enable-osconfig : true
  • Start the instance
  1. Verify that automatic updates are enabled on the instance by running the following command:
gcloud compute instances describe INSTANCE_NAME --format="value(metadata.items.filter(key:enable-osconfig))"
This command should return true, indicating that automatic updates are enabled on the instance.By following these steps, you can remediate the misconfiguration “Upgrades and Updates Should Be Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Upgrades and Updates Should Be Enabled” in GCP using Python, follow the below steps:
  1. Import the required libraries:
from google.cloud import compute_v1
  1. Set up the client:
client = compute_v1.InstancesClient()
project = 'your-project-id'
zone = 'your-zone'
  1. Retrieve the instance(s) for which you want to enable upgrades and updates:
instances = client.list(project=project, zone=zone).items
  1. Iterate through the instances and update the instance(s) to enable upgrades and updates:
for instance in instances:
    instance_name = instance.name
    instance_resource = client.get(instance_name, project, zone)
    instance_resource.scheduling.automatic_restart = True
    instance_resource.scheduling.on_host_maintenance = "MIGRATE"
    instance_resource.metadata.items.append(
        {"key": "google-compute-enable-virtio-rng", "value": "true"}
    )
    response = client.update(instance_name, instance_resource, project, zone)
This code will enable automatic restarts, migrate instances on host maintenance, and enable virtio-rng for all the instances in the specified project and zone.Note: Make sure you have the required permissions to update instances in the specified project and zone.