turbot/ibm_compliance

Control: 7.1.3 Ensure IBM Cloud Kubernetes Service worker nodes are updated to the latest image to ensure patching of vulnerabilities

Description

Update the worker nodes in a cluster to the latest patch version so that security fixes are applied to those worker nodes.

Remediation

From Console:

  1. Log in to the IBM Cloud console.
  2. Optional: Add capacity to your cluster by resizing the worker pool. The pods on the worker node can be rescheduled and continue running on the added worker nodes during the update.
  3. To view a list of your resources, go to Menu > Resource List.
  4. From your IBM Cloud resource list, select your cluster.
  5. Select the Worker Nodes tab.
  6. Select the checkbox for each worker node that you want to update. An action bar is displayed over the table header row.
  7. From the action bar, click Update.

From Command Line:

  1. Complete the prerequisite steps.
  2. Optional: Add capacity to your cluster by resizing the worker pool. The pods on the worker node can be rescheduled and continue running on the added worker nodes during the update.
  3. List the worker nodes in your cluster and note the ID and Primary IP of the worker node that you want to update.
ibmcloud ks worker ls --cluster <cluster_name_or_ID>
  1. Replace the worker node to update the worker node to the latest patch version at the same major.minor version.
ibmcloud ks worker replace --cluster <cluster_name_or_ID> --worker
<worker_node_ID>
  1. Repeat these steps for each worker node that you want to update.
  2. Optional: After the replaced worker nodes are in a Ready status, resize the worker pool to meet the cluster capacity that you want.

Usage

Run the control in your terminal:

powerpipe control run ibm_compliance.control.cis_v100_7_1_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run ibm_compliance.control.cis_v100_7_1_3 --share

SQL

This control uses a named query:

manual_control

Tags