This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to setup protect-kernel-defaults to true in GKE Standard

Posted on 08-23-2024 04:45 AM
rndnds
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

I have a task to harden GKE based on the CIS Benchmark. One of the tasks assigned is to ensure the --protect-kernel-defaults argument is set to true.
How do I do this?
I have already checked the "kubelet-config.yaml" file, but I didn't find that configuration there.

Solved Solved
0 1 283
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Manish_B
Staff
Reply posted on --/--/---- --:-- AM

Hello @rndnds,

Thank you for contacting Google Cloud Community.

We recommend that you prioritize the CIS GKE Benchmark, because it is specific to GKE on Google Cloud. The CIS Kubernetes Benchmark contains many recommendations for controls that you can't view or modify in GKE. Our approach to cluster security includes mitigations that go beyond the scope of the open source Kubernetes benchmark and might result in conflicts with those recommendations. 

  1. GKE Standard mode lets your workloads modify kernel defaults if needed.
  2. For clusters managed by GKE, the Kubelet parameters that can be modified are limited, and they can be found in the public document Customizing node system configuration - Kubelet configuration options.
  3. As you can see, the parameter --protect-kernel-defaults is not listed there, meaning that it cannot be configured.

There is also a Feature Request regarding this issue that could be tracked here.

Meanwhile there is no commitment or ETA from Google regarding when this will be implemented, but you can give more visibility to it using the ‘+1’ button in the top right corner of the page, which will also ensure that you will receive any update that will be posted there. Additionally, you could post your business impact and use case in the comment section which could make the product team prioritize their work.

Thanks & Regards,
Manish Bavireddy.

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
Manish_B
Staff
Reply posted on --/--/---- --:-- AM

Hello @rndnds,

Thank you for contacting Google Cloud Community.

We recommend that you prioritize the CIS GKE Benchmark, because it is specific to GKE on Google Cloud. The CIS Kubernetes Benchmark contains many recommendations for controls that you can't view or modify in GKE. Our approach to cluster security includes mitigations that go beyond the scope of the open source Kubernetes benchmark and might result in conflicts with those recommendations. 

  1. GKE Standard mode lets your workloads modify kernel defaults if needed.
  2. For clusters managed by GKE, the Kubelet parameters that can be modified are limited, and they can be found in the public document Customizing node system configuration - Kubelet configuration options.
  3. As you can see, the parameter --protect-kernel-defaults is not listed there, meaning that it cannot be configured.

There is also a Feature Request regarding this issue that could be tracked here.

Meanwhile there is no commitment or ETA from Google regarding when this will be implemented, but you can give more visibility to it using the ‘+1’ button in the top right corner of the page, which will also ensure that you will receive any update that will be posted there. Additionally, you could post your business impact and use case in the comment section which could make the product team prioritize their work.

Thanks & Regards,
Manish Bavireddy.

Jump to Solution
Top Labels in this Space