K8s container optimized os enabled remediation

Using Console

Using CLI

To enable Container-Optimized OS on GCP using GCP CLI, follow these steps:

Open the Cloud Shell on the GCP Console.
Run the following command to enable the Container-Optimized OS:

gcloud compute instances create [INSTANCE_NAME] \
--image-project cos-cloud \
--image-family cos-stable \
--boot-disk-size [DISK_SIZE] \
--boot-disk-type pd-standard \
--boot-disk-device-name [DEVICE_NAME]

Replace [INSTANCE_NAME] with the name of the instance that you want to enable Container-Optimized OS on, [DISK_SIZE] with the size of the boot disk in GB, and [DEVICE_NAME] with the name of the boot disk device.

Once the instance is created, SSH into the instance and verify that Container-Optimized OS is enabled by running the following command:

cat /etc/os-release

This command should output information about the OS, including the line “ID=cos”.That’s it! Container-Optimized OS is now enabled on your GCP instance.

Using Python

To remediate the misconfiguration of “Container-Optimized OS Should Be Enabled” in GCP using Python, you can follow the below steps:

Import the necessary libraries:

from googleapiclient.discovery import build
from google.oauth2 import service_account

Set the project ID and the service account credentials:

project_id = "<PROJECT_ID>"
credentials = service_account.Credentials.from_service_account_file('<SERVICE_ACCOUNT_KEY_FILE_PATH>')

Build the GCP Compute Engine API client:

compute_client = build('compute', 'v1', credentials=credentials)

Get the list of instances in the project:

instances = compute_client.instances().list(project=project_id, zone='<ZONE>').execute()

Loop through the instances and check if the Container-Optimized OS is enabled:

for instance in instances['items']:
    instance_name = instance['name']
    instance_id = instance['id']
    instance_zone = instance['zone'].split('/')[-1]
    
    # Get the instance metadata
    metadata = compute_client.instances().get(project=project_id, zone=instance_zone, instance=instance_name).execute()['metadata']['items']
    
    # Check if Container-Optimized OS is enabled
    cos_enabled = False
    for item in metadata:
        if item['key'] == 'google-container-os':
            if item['value'] == 'true':
                cos_enabled = True
                break
    
    # If Container-Optimized OS is not enabled, enable it
    if not cos_enabled:
        metadata.append({
            'key': 'google-container-os',
            'value': 'true'
        })
        compute_client.instances().update(project=project_id, zone=instance_zone, instance=instance_name, body={
            'metadata': {
                'items': metadata
            }
        }).execute()
        print(f"Container-Optimized OS enabled for instance {instance_name} (ID: {instance_id}) in zone {instance_zone}")
    else:
        print(f"Container-Optimized OS already enabled for instance {instance_name} (ID: {instance_id}) in zone {instance_zone}")

This code will check all the instances in the specified zone of the project and enable the Container-Optimized OS if it is not already enabled.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

K8s container optimized os enabled remediation

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation