GCP GKE cluster with auto-upgrade disabled
Description
AlphaSOC detected a Google Kubernetes Engine (GKE) node pool created or updated with auto-upgrade disabled. Disabling auto-upgrade prevents automatic security patches from being applied to Kubernetes nodes. Attackers may disable auto-upgrade to maintain persistence through known vulnerabilities or to prevent security fixes from disrupting their access.
Impact
Unpatched Kubernetes nodes are susceptible to container escape vulnerabilities, privilege escalation attacks, and other security issues. Disabling auto-upgrade allows known vulnerabilities to persist, which attackers can exploit to compromise containers, escape to the host, or gain cluster-wide access. This increases the window of exposure for critical security issues.
Severity
| Severity | Condition |
|---|---|
Low | GKE cluster auto-upgrade disabled |
Investigation and Remediation
Review the node pool configuration change and verify it was authorized. Determine the business justification for disabling auto-upgrade and document any compensating controls. Ensure manual upgrade procedures are in place and being followed. If the change was unauthorized, re-enable auto-upgrade and investigate the user's account for signs of compromise.
Known False Positives
- Environments requiring strict change control for production workloads
- Applications with specific version compatibility requirements
- Organizations with manual patching schedules due to compliance requirements