如何为软件包安全更新修补 GKE 托管实例组(节点池)?
How to patch GKE Managed Instance Groups (Node Pools) for package security updates?
我有一个 GKE 集群 运行跨越两个区域的多个节点。我的目标是安排一项工作 运行 每周一次 运行 sudo apt-get upgrade 来更新系统包。通过一些研究,我发现 GCP 提供了一个名为“OS 补丁管理”的工具,它就是这样做的。我尝试使用它,但 Patch Job 的执行引发了一个错误,通知
失败原因:实例是托管实例组的一部分。
我还注意到,在创建 GKE 节点池的过程中,有一个启用“自动升级”的选项。但是根据它的描述,它只会升级Kubernetes的版本。
OS 补丁管理仅适用于 GCE VM。不适用于 GKE
您应该避免在 GKE 中进行 OS 级别升级,这可能会导致一些意外行为(也许某个包已经升级并更改了一些会扰乱 GKE 配置的内容)。
您应该让 GKE 自动升级 OS 和 Kubernetes。自动升级将升级 OS,因为 GKE 版本与 OS 版本交织在一起。
一个简单的方法是注册您的集群以发布 channels,这样他们就可以根据需要随时升级(取决于频道)并且您的 OS 将定期修补.
您还可以遵循 GKE 强化 guide,它为您提供了确保 GKE 集群尽可能安全的步骤
根据博客Exploring container security: the shared responsibility model in GKE:
For GKE, at a high level, we are responsible for protecting:
- The nodes’ operating system, such as Container-Optimized OS (COS) or Ubuntu. GKE promptly makes any patches to these images available. If you have auto-upgrade enabled, these are automatically deployed. This is the base layer of your container—it’s not the same as the operating system running in your containers.
Conversely, you are responsible for protecting:
- The nodes that run your workloads. You are responsible for any extra software installed on the nodes, or configuration changes made to the default. You are also responsible for keeping your nodes updated. We provide hardened VM images and configurations by default, manage the containers that are necessary to run GKE, and provide patches for your OS—you’re just responsible for upgrading. If you use node auto-upgrade, it moves the responsibility of upgrading these nodes back to us.
节点自动升级 功能确实修补了节点的 OS,它不只是升级 Kubernetes 版本。
我有一个 GKE 集群 运行跨越两个区域的多个节点。我的目标是安排一项工作 运行 每周一次 运行 sudo apt-get upgrade 来更新系统包。通过一些研究,我发现 GCP 提供了一个名为“OS 补丁管理”的工具,它就是这样做的。我尝试使用它,但 Patch Job 的执行引发了一个错误,通知
失败原因:实例是托管实例组的一部分。
我还注意到,在创建 GKE 节点池的过程中,有一个启用“自动升级”的选项。但是根据它的描述,它只会升级Kubernetes的版本。
OS 补丁管理仅适用于 GCE VM。不适用于 GKE
您应该避免在 GKE 中进行 OS 级别升级,这可能会导致一些意外行为(也许某个包已经升级并更改了一些会扰乱 GKE 配置的内容)。
您应该让 GKE 自动升级 OS 和 Kubernetes。自动升级将升级 OS,因为 GKE 版本与 OS 版本交织在一起。
一个简单的方法是注册您的集群以发布 channels,这样他们就可以根据需要随时升级(取决于频道)并且您的 OS 将定期修补.
您还可以遵循 GKE 强化 guide,它为您提供了确保 GKE 集群尽可能安全的步骤
根据博客Exploring container security: the shared responsibility model in GKE:
For GKE, at a high level, we are responsible for protecting:
- The nodes’ operating system, such as Container-Optimized OS (COS) or Ubuntu. GKE promptly makes any patches to these images available. If you have auto-upgrade enabled, these are automatically deployed. This is the base layer of your container—it’s not the same as the operating system running in your containers.
Conversely, you are responsible for protecting:
- The nodes that run your workloads. You are responsible for any extra software installed on the nodes, or configuration changes made to the default. You are also responsible for keeping your nodes updated. We provide hardened VM images and configurations by default, manage the containers that are necessary to run GKE, and provide patches for your OS—you’re just responsible for upgrading. If you use node auto-upgrade, it moves the responsibility of upgrading these nodes back to us.
节点自动升级 功能确实修补了节点的 OS,它不只是升级 Kubernetes 版本。