Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Consider GKE Sandbox For Running Untrusted Workloads” for GCP using the GCP console, you can follow these steps:
- Open the Google Cloud Console and navigate to the GKE cluster that you want to remediate.
- Click on the “Workloads” tab and select the workload that you want to run in the GKE Sandbox.
- Click on the “Edit” button to open the workload configuration.
- In the “Security” section of the configuration, enable the “Sandbox” option.
- Click on the “Save” button to apply the changes.
- Verify that the workload is now running in the GKE Sandbox by checking the “Status” column in the “Workloads” tab. The status should be “Running” with a green checkmark.
- Repeat steps 2-6 for any other workloads that need to be remediated.
Using CLI
Using CLI
The misconfiguration of using GKE Sandbox for running untrusted workloads can be remediated in GCP using the following steps through GCP CLI:
-
Firstly, check if there are any workloads running on GKE Sandbox that are untrusted. This can be done by running the following command in GCP CLI:
Replace
[NODE_POOL_NAME],[CLUSTER_NAME]and[ZONE]with the corresponding values for your GKE Sandbox. -
If there are any workloads running on GKE Sandbox that are untrusted, create a new node pool with the appropriate security settings. This can be done by running the following command in GCP CLI:
Replace
[NEW_NODE_POOL_NAME],[CLUSTER_NAME]and[ZONE]with the corresponding values for your GKE Sandbox. The--sandbox=unconfinedflag will create a new node pool with unrestricted sandboxing, which is suitable for running untrusted workloads. -
Migrate the workloads from the old node pool to the new node pool. This can be done by running the following command in GCP CLI:
Replace
[NODE_NAME]with the name of the node that is running the untrusted workload. This command will safely evict all the pods running on the node. -
Delete the old node pool. This can be done by running the following command in GCP CLI:
Replace
[NODE_POOL_NAME],[CLUSTER_NAME]and[ZONE]with the corresponding values for your GKE Sandbox.
Using Python
Using Python
To remediate the misconfiguration “Consider GKE Sandbox For Running Untrusted Workloads” for GCP using Python, follow the below steps:
-
Install the necessary libraries:
-
Set the project ID and cluster name for which you want to enable GKE Sandbox.
-
Authenticate using your Google Cloud credentials:
-
Enable GKE Sandbox for the cluster:
-
Verify that GKE Sandbox is enabled: