5.10.2 - Ensure that Alpha clusters are not used for production workloads (Automated)

Views:

Profile applicability: Level 1

Alpha clusters are not covered by an SLA and are not production-ready.

Alpha clusters are designed for early adopters to experiment with workloads that take advantage of new features before those features are production-ready. They have all Kubernetes API features enabled, but are not covered by the GKE SLA, do not receive security updates, have node auto-upgrade and node auto-repair disabled, and cannot be upgraded. They are also automatically deleted after 30 days.

Note

By default, Kubernetes Alpha features are disabled.

Impact

Users and workloads will not be able to take advantage of features included within Alpha clusters.

Audit

The audit script for this recommendation utilizes 3 variables: $CLUSTER_NAME $COMPUTE_ZONE

Please set these parameters on the system where you will be executing your gcloud audit script or command.

Using Google Cloud Console:

Go to Kubernetes Engine website.
If a cluster appears under the Kubernetes alpha clusters heading, it is an Alpha cluster.

Using Command Line:

Run the command:

gcloud container clusters describe $CLUSTER_NAME \ 
--zone $COMPUTE-ZONE \ 
--format json | jq '.enableKubernetesAlpha'

The output of the above command will return true if it is an Alpha cluster.

Remediation

Alpha features cannot be disabled. To remediate, a new cluster must be created.

Using Google Cloud Console:

Go to Kubernetes Engine website.
Click CREATE CLUSTER, and choose "SWITCH TO STANDARD CLUSTER" in the upper right corner of the screen.

Under Features in the CLUSTER section, "Enable Kubernetes alpha features in this cluster" will not be available by default. To use Kubernetes alpha features in this cluster, first disable release channels.

Note

It will only be available if the cluster is created with a Static version for the Control plane version, along with both Automatically upgrade nodes to the next available version and Enable auto-repair being checked under the Node pool details for each node.

Configure the other settings as required and click CREATE.

Using Command Line:

Upon creating a new cluster:

gcloud container clusters create [CLUSTER_NAME] \ 
--zone [COMPUTE_ZONE]

Do not use the --enable-kubernetes-alpha argument.