Control: 7.1.3 Ensure IBM Cloud Kubernetes Service worker nodes are updated to the latest image to ensure patching of vulnerabilities
Description
Update the worker nodes in a cluster to the latest patch version so that security fixes are applied to those worker nodes.
Remediation
From Console:
- Log in to the IBM Cloud console.
- Optional: Add capacity to your cluster by resizing the worker pool. The pods on the worker node can be rescheduled and continue running on the added worker nodes during the update.
- To view a list of your resources, go to Menu > Resource List.
- From your IBM Cloud resource list, select your cluster.
- Select the Worker Nodes tab.
- Select the checkbox for each worker node that you want to update. An action bar is displayed over the table header row.
- From the action bar, click Update.
From Command Line:
- Complete the prerequisite steps.
- Optional: Add capacity to your cluster by resizing the worker pool. The pods on the worker node can be rescheduled and continue running on the added worker nodes during the update.
- List the worker nodes in your cluster and note the ID and Primary IP of the worker node that you want to update.
ibmcloud ks worker ls --cluster <cluster_name_or_ID>
- Replace the worker node to update the worker node to the latest patch version at the same major.minor version.
ibmcloud ks worker replace --cluster <cluster_name_or_ID> --worker<worker_node_ID>
- Repeat these steps for each worker node that you want to update.
- Optional: After the replaced worker nodes are in a Ready status, resize the worker pool to meet the cluster capacity that you want.
Usage
Run the control in your terminal:
powerpipe control run ibm_compliance.control.cis_v100_7_1_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run ibm_compliance.control.cis_v100_7_1_3 --shareSQL
This control uses a named query:
manual_control