A patch for a vulnerability has been released, and a DevOps team needs to update their running containers in Google Kubernetes Engine (GKE). How should the DevOps team accomplish this?
A.
Use Puppet or Chef to push out the patch to the running container.
B.
Verify that auto upgrade is enabled; if so, Google will upgrade the nodes in a GKE cluster.
C.
Update the application code or apply a patch, build a new image, and redeploy it.
D.
Configure containers to automatically upgrade when the base image is available in Container Registry.
https://cloud.google.com/containers/security
Containers are meant to be immutable, so you deploy a new image in order to make changes. You can simplify patch management by rebuilding your images regularly, so the patch is picked up the next time a container is deployed. Get the full picture of your environment with regular image security reviews.
C is better
"C"
Containers are immutable and cannot be updated in place. Base image/container must be patched and then gradually introduced to live container pool.
References:
https://cloud.google.com/architecture/best-practices-for-operating-containers#immutability
B is 100% the answer.
Fixing some vulnerabilities requires only a control plane upgrade, performed automatically by Google on GKE, while others require both control plane and node upgrades.
To keep clusters patched and hardened against vulnerabilities of all severities, we recommend using node auto-upgrade on GKE (on by default).
https://cloud.google.com/kubernetes-engine/docs/resources/security-patching#how_vulnerabilities_are_patched
Its actually B.
Patching a vulnerability involves upgrading to a new GKE or Anthos version number. GKE and Anthos versions include versioned components for the operating system, Kubernetes components, and other containers that make up the Anthos platform. Fixing some vulnerabilities requires only a control plane upgrade, performed automatically by Google on GKE, while others require both control plane and node upgrades.
To keep clusters patched and hardened against vulnerabilities of all severities, we recommend using node auto-upgrade on GKE (on by default). On other Anthos platforms, Google recommends upgrading your Anthos components at least monthly.
Ref: https://cloud.google.com/kubernetes-engine/docs/resources/security-patching
No, the question is asking how vulnerabilities are patched! To keep clusters patched and hardened against vulnerabilities of all severities, we recommend using node auto-upgrade on GKE (on by default).
https://cloud.google.com/kubernetes-engine/docs/resources/security-patching#how_vulnerabilities_are_patched
Agreed - I think this wasn't available at the time people responded.
B is correct
https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades
The question asked is "team needs to update their running containers" if its was auto enabled there was no need to update manually. so my answer will be C.
Me voy definitivamente con la C, dado que actualizar los nodos con autoupgrade no tiene nada que ver con los contenedores, la vulnerabilidad en este caso se debe aplicar con respecto a contenedor ósea aplicación por lo que la respuesta C es la correcta.
Translaed : 'm definitely going with C, since updating the nodes with autoupgrade has nothing to do with the containers, the vulnerability in this case must be applied with respect to the application bone container so the C answer is correct.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
TNT87
Highly Voted 3 years, 9 months agoAzureDP900
2 years agoDebasishLowes
Highly Voted 3 years, 8 months agonah99
Most Recent 1 day, 21 hours agoGCBC
1 year, 2 months ago[Removed]
1 year, 4 months agoIshu_awsguy
1 year, 5 months agoRic350
1 year, 7 months agoAwesomeGCP
2 years, 1 month agoMedofree
2 years, 7 months agoRhehehe
2 years, 11 months agoStanPeng
2 years, 9 months agoRic350
1 year, 7 months agoalexm112
2 years, 9 months agoSuperDevops
3 years agosriz
3 years agoAniyadu
3 years, 10 months agoKevinsayn
4 years agosoukumar369
3 years, 11 months agojonclem
4 years ago[Removed]
4 years agoRantu
4 years, 1 month agoNamaste
4 years, 2 months ago