Container-Optimized OS Should Be Enabled

More Info:

Ensures all Kubernetes cluster nodes have Container-Optimized OS enabled. Container-Optimized OS is optimized to enhance node security. It is backed by a team at Google that can quickly patch it.

Risk Level

Medium

Address

Security

Compliance Standards

CISGKE

Triage and Remediation

Remediation

Using Console

Using CLI

To enable Container-Optimized OS on GCP using GCP CLI, follow these steps:

Open the Cloud Shell on the GCP Console.
Run the following command to enable the Container-Optimized OS:

gcloud compute instances create [INSTANCE_NAME] \
--image-project cos-cloud \
--image-family cos-stable \
--boot-disk-size [DISK_SIZE] \
--boot-disk-type pd-standard \
--boot-disk-device-name [DEVICE_NAME]

Replace [INSTANCE_NAME] with the name of the instance that you want to enable Container-Optimized OS on, [DISK_SIZE] with the size of the boot disk in GB, and [DEVICE_NAME] with the name of the boot disk device.

Once the instance is created, SSH into the instance and verify that Container-Optimized OS is enabled by running the following command:

cat /etc/os-release

This command should output information about the OS, including the line “ID=cos”.That’s it! Container-Optimized OS is now enabled on your GCP instance.

Using Python

To remediate the misconfiguration of “Container-Optimized OS Should Be Enabled” in GCP using Python, you can follow the below steps:

Import the necessary libraries:

from googleapiclient.discovery import build
from google.oauth2 import service_account

Set the project ID and the service account credentials:

project_id = "<PROJECT_ID>"
credentials = service_account.Credentials.from_service_account_file('<SERVICE_ACCOUNT_KEY_FILE_PATH>')

Build the GCP Compute Engine API client:

compute_client = build('compute', 'v1', credentials=credentials)

Get the list of instances in the project:

instances = compute_client.instances().list(project=project_id, zone='<ZONE>').execute()

Loop through the instances and check if the Container-Optimized OS is enabled:

for instance in instances['items']:
    instance_name = instance['name']
    instance_id = instance['id']
    instance_zone = instance['zone'].split('/')[-1]
    
    # Get the instance metadata
    metadata = compute_client.instances().get(project=project_id, zone=instance_zone, instance=instance_name).execute()['metadata']['items']
    
    # Check if Container-Optimized OS is enabled
    cos_enabled = False
    for item in metadata:
        if item['key'] == 'google-container-os':
            if item['value'] == 'true':
                cos_enabled = True
                break
    
    # If Container-Optimized OS is not enabled, enable it
    if not cos_enabled:
        metadata.append({
            'key': 'google-container-os',
            'value': 'true'
        })
        compute_client.instances().update(project=project_id, zone=instance_zone, instance=instance_name, body={
            'metadata': {
                'items': metadata
            }
        }).execute()
        print(f"Container-Optimized OS enabled for instance {instance_name} (ID: {instance_id}) in zone {instance_zone}")
    else:
        print(f"Container-Optimized OS already enabled for instance {instance_name} (ID: {instance_id}) in zone {instance_zone}")

This code will check all the instances in the specified zone of the project and enable the Container-Optimized OS if it is not already enabled.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Container-Optimized OS Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: