GCP Kubernetes Engine Clusters Not Using Container-Optimized OS For Node Image

This policy identifies Kubernetes Engine Clusters which do not have a container-optimized operating system for node image. Container-Optimized OS is an operating system image for your Compute Engine VMs that is optimized for running Docker containers. By using Container-Optimized OS for node image, you can bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely. The Container-Optimized OS node image is based on a recent version of the Linux kernel and is optimized to enhance node security. It is also regularly updated with features, security fixes, and patches. The Container-Optimized OS image provides better support, security, and stability than other images.

Policy Details

Policy Subtype
Run, Build
Template Type

Build Rules

GCP Kubernetes Engine Clusters not using Container-Optimized OS for Node image.
JSON Query:
$.resource[*].google_container_node_pool exists and ($.resource[*].google_container_node_pool.*[*].*.node_config anyNull or $.resource[*].google_container_node_pool.*[*].*.node_config[*].image_type anyNull or not $.resource[*].google_container_node_pool.*[*].*.node_config[*].image_type allStartWith cos )
Recommended solution to ensure that Kubernetes Engine Clusters uses Container-Optimized OS for Node image.
Ensure that GCP Kubernetes Engine Clusters uses Container-Optimized OS for Node image. Please make sure that your template have "image_type" defined and set to image that starts with "cos".
For example:
"google_container_node_pool": [ { "<container_node_pool_name>": [ { "cluster": "google_container_cluster.primary.name", "location": "us-central1", "name": "my-node-pool", "node_config": [ { "image_type": "cos" } ], "node_count": 1 } ] } ]

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Go to Kubernetes Engine (Left Panel).
  3. Select Kubernetes clusters.
  4. From the list of clusters, choose the reported cluster.
  5. Under Node Pools, For Node image click on 'Change'.
  6. Choose 'Container-Optimized OS (cos)'.
  7. Click on Change.


There are 3 standards that are applicable to this policy:
  • MITRE ATT&CK [Beta]
  • PCI DSS v3.2
  • CIS v1.0.0 (GCP)

Recommended For You