The node image should be Container-Optimized OS(COS)

ID

gcp_cos_node_image_not_used

Severity

low

Vendor

GCP

Resource

AIM

Tags

reachable

Description

Container-Optimized OS images have several features that enhance security, such as:

  • Locking down the file system so critical system files are less likely to be tampered with.

  • Enabling security-hardening kernel features, such as Integrity Measurement Architecture (IMA), Audit, Kernel Page Table Isolation (KPTI), and some Linux Security Modules (LSMs).

  • Providing security-minded default values for several settings, such as disabling ptrace and unprivileged BPF, locking down the firewall, and so on.

To fix it, you must use a COS-based image as config.image_type property.

Learn more about this topic at OS Security.

Examples

---
- name: create a node pool
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: "{{ cluster }}"
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
    config:
      image_type: WINDOWS_LTSC

Mitigation / Fix

---
- name: create a node pool
  google.cloud.gcp_container_node_pool:
    name: my-pool
    initial_node_count: 4
    cluster: "{{ cluster }}"
    location: us-central1-a
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
    config:
      image_type: COS_CONTAINERD