GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Container-Optimized OS Should Be Enabled
More Info:
Ensures all Kubernetes cluster nodes have Container-Optimized OS enabled. Container-Optimized OS is optimized to enhance node security. It is backed by a team at Google that can quickly patch it.
Risk Level
Medium
Address
Security
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the misconfiguration of “Container-Optimized OS Should Be Enabled” in GCP, you can follow the below steps using the GCP console:
- Open the GCP Console and go to the Compute Engine page.
- Select the instance for which you want to enable Container-Optimized OS.
- Click on the “Edit” button on the top of the page.
- Scroll down to the “Cloud API access scopes” section.
- Expand the “Compute Engine default service account” section.
- Click on the “Set access for each API” button.
- In the “Compute Engine” section, select the “Read Write” access level.
- Click on the “Save” button to save the changes.
- Scroll up to the “Boot disk” section.
- Click on the “Change” button.
- In the “Operating system” section, select “Container-Optimized OS”.
- Click on the “Select” button to save the changes.
- Click on the “Save” button to apply the changes to the instance.
Once the above steps are completed, the Container-Optimized OS will be enabled for the selected instance.
To enable Container-Optimized OS on GCP using GCP CLI, follow these steps:
- Open the Cloud Shell on the GCP Console.
- Run the following command to enable the Container-Optimized OS:
gcloud compute instances create [INSTANCE_NAME] \
--image-project cos-cloud \
--image-family cos-stable \
--boot-disk-size [DISK_SIZE] \
--boot-disk-type pd-standard \
--boot-disk-device-name [DEVICE_NAME]
Replace [INSTANCE_NAME] with the name of the instance that you want to enable Container-Optimized OS on, [DISK_SIZE] with the size of the boot disk in GB, and [DEVICE_NAME] with the name of the boot disk device.
- Once the instance is created, SSH into the instance and verify that Container-Optimized OS is enabled by running the following command:
cat /etc/os-release
This command should output information about the OS, including the line “ID=cos”.
That’s it! Container-Optimized OS is now enabled on your GCP instance.
To remediate the misconfiguration of “Container-Optimized OS Should Be Enabled” in GCP using Python, you can follow the below steps:
- Import the necessary libraries:
from googleapiclient.discovery import build
from google.oauth2 import service_account
- Set the project ID and the service account credentials:
project_id = "<PROJECT_ID>"
credentials = service_account.Credentials.from_service_account_file('<SERVICE_ACCOUNT_KEY_FILE_PATH>')
- Build the GCP Compute Engine API client:
compute_client = build('compute', 'v1', credentials=credentials)
- Get the list of instances in the project:
instances = compute_client.instances().list(project=project_id, zone='<ZONE>').execute()
- Loop through the instances and check if the Container-Optimized OS is enabled:
for instance in instances['items']:
instance_name = instance['name']
instance_id = instance['id']
instance_zone = instance['zone'].split('/')[-1]
# Get the instance metadata
metadata = compute_client.instances().get(project=project_id, zone=instance_zone, instance=instance_name).execute()['metadata']['items']
# Check if Container-Optimized OS is enabled
cos_enabled = False
for item in metadata:
if item['key'] == 'google-container-os':
if item['value'] == 'true':
cos_enabled = True
break
# If Container-Optimized OS is not enabled, enable it
if not cos_enabled:
metadata.append({
'key': 'google-container-os',
'value': 'true'
})
compute_client.instances().update(project=project_id, zone=instance_zone, instance=instance_name, body={
'metadata': {
'items': metadata
}
}).execute()
print(f"Container-Optimized OS enabled for instance {instance_name} (ID: {instance_id}) in zone {instance_zone}")
else:
print(f"Container-Optimized OS already enabled for instance {instance_name} (ID: {instance_id}) in zone {instance_zone}")
This code will check all the instances in the specified zone of the project and enable the Container-Optimized OS if it is not already enabled.