Views:
Profile applicability: Level 1
Use Container-Optimized OS (cos_containerd) as a managed, optimized and hardened base OS that limits the host's attack surface.
COS is an operating system image for Compute Engine VMs optimized for running containers. With COS, the containers can be brought up on Google Cloud Platform quickly, efficiently, and securely.
Using COS as the node image provides the following benefits:
  • Run containers out of the box: COS instances come pre-installed with the container runtime and cloud-init. With a COS instance, the container can be brought up at the same time as the VM is created, with no on-host setup required.
  • Smaller attack surface: COS has a smaller footprint, reducing the instance's potential attack surface.
  • Locked-down by default: COS instances include a locked-down firewall and other security settings by default.
Note
Note
Container-optimised OS with containerd (cos_containerd) (default) is the default option for a cluster node image.

Impact

If modifying an existing cluster's Node pool to run COS, the upgrade operation used is long-running and will block other operations on the cluster (including delete) until it has run to completion. COS nodes also provide an option with containerd as the main container runtime directly integrated with Kubernetes instead of docker.
Thus, on these nodes, Docker cannot view or access containers or images managed by Kubernetes. Applications should not interact with Docker directly. For general troubleshooting or debugging, use crictl instead.

Audit

Using Google Cloud Console:
  1. Go to Kubernetes Engine by visiting: Google Cloud Console Kubernetes Engine page.
  2. From the list of clusters, select the cluster under test.
  3. Under the 'Node pools' section, make sure that for each of the Node pools, 'Container-Optimized OS (cos_containerd)' is listed in the 'Image type' column.
Using Command line:
To check Node image type for an existing cluster's Node pool, first define 4 variables for Node Pool, Cluster Name, Location and Project and then run the following command:
gcloud container node-pools describe $NODE_POOL --cluster $CLUSTER_NAME --location $LOCATION --project $PROJECT_ID --format json | jq '.config.imageType'
The output of the above command should return the following output if COS_CONTAINERD is used for Node images:
"config": {
  ..
  "imageType": "COS_CONTAINERD",
  ..
}

Remediation

Using Google Cloud Console:
  1. Go to Kubernetes Engine by visiting: Google Cloud Console Kubernetes Engine page.
  2. Select the Kubernetes cluster which does not use COS.
  3. Under the Node pools heading, select the Node Pool that requires alteration.
  4. Click EDIT.
  5. Under the Image Type heading click CHANGE.
  6. From the pop-up menu select Container-optimised OS with containerd (cos_containerd) (default) and click CHANGE.
  7. Repeat for all non-compliant Node pools.
Using Command Line:
To set the node image to cos for an existing cluster's Node pool:
gcloud container clusters upgrade <cluster_name> --image-type cos_containerd --location <location> --node-pool <node_pool_name>