More Info:

Subscribe to the Regular or Stable Release Channel to automate version upgrades to the GKE cluster and to reduce version management complexity to the number of features and level of stability required.

Risk Level

Medium

Address

Security, Reliability, Operational Excellence, Best Practice

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Ensure Clusters Use Stable Release Channels” for GCP using GCP console, follow the below steps:
  1. Open the GCP console and navigate to the Kubernetes Engine page.
  2. Select the cluster that you want to remediate.
  3. Click on the “Edit” button at the top of the page.
  4. In the “Cluster version and upgrade settings” section, select “Stable channel” from the “Release channel” drop-down menu.
  5. Click on the “Save” button to apply the changes.
  6. Repeat the above steps for all the clusters in your GCP environment.
By following the above steps, you have successfully remediated the misconfiguration “Ensure Clusters Use Stable Release Channels” for GCP using GCP console.

To remediate the issue of ensuring clusters use stable release channels in GCP using GCP CLI, follow the below steps:Step 1: Open the Cloud ShellStep 2: Run the following command to set the project ID:
gcloud config set project [PROJECT_ID]
Step 3: Verify that you have the Kubernetes Engine API enabled for your project by running the following command:
gcloud services list --enabled | grep container.googleapis.com
Step 4: Run the following command to get the current release channel of the cluster:
gcloud container clusters describe [CLUSTER_NAME] --zone [ZONE] | grep releaseChannel
Step 5: Run the following command to update the release channel to stable:
gcloud container clusters update [CLUSTER_NAME] --zone [ZONE] --update-addons=HorizontalPodAutoscaling,HttpLoadBalancing --release-channel=stable
Step 6: Verify that the release channel has been updated by running the following command:
gcloud container clusters describe [CLUSTER_NAME] --zone [ZONE] | grep releaseChannel
This should remediate the issue of ensuring clusters use stable release channels in GCP using GCP CLI.
To remediate the misconfiguration “Ensure Clusters Use Stable Release Channels” in GCP using Python, you can follow the below steps:
  1. First, you need to install the google-cloud-container library using the following command: 
    pip install google-cloud-container
  2. Next, you need to authenticate with GCP using your service account key. You can use the following code to authenticate: 
    from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file(
    'path/to/service_account_key.json')
  3. Once you are authenticated, you can use the google.cloud.container_v1.ClusterManagerClient class to get the list of clusters in your GCP project. You can use the following code to get the list of clusters: 
    from google.cloud import container_v1

client = container_v1.ClusterManagerClient(credentials=credentials)
project_id = 'your-project-id'

clusters = client.list_clusters(project_id)
  4. After getting the list of clusters, you can check if each cluster is using the stable release channel or not. If any cluster is not using the stable release channel, you can update the cluster to use the stable release channel. You can use the following code to update the cluster: 
    for cluster in clusters:
    if cluster.release_channel != 'STABLE':
        cluster.release_channel = 'STABLE'
        update_request = container_v1.UpdateClusterRequest(
            project_id=project_id,
            zone=cluster.zone,
            cluster_id=cluster.name,
            update=cluster,
            name=cluster.name)
        response = client.update_cluster(update_request)
  5. Finally, you can verify that all the clusters are now using the stable release channel by running the code in step 3 again.
By following the above steps, you can remediate the misconfiguration “Ensure Clusters Use Stable Release Channels” in GCP using Python.

Additional Reading: