How are OS patches with critical security update on GCE, GKE and AI Platform notebook?

8/31/2019

Is there a complete documentation which explain if and how are applied OS with critical security update for the following IaaS/PaaS ?

  • GCE VM
  • GKE (VM of in a cluster)
  • VM on which is running AI Platorm notebook

In which case GCP team is taking care of these update and in which case we should take care of it.

For example, in the case of a GCE VM (Debain OS) the documentation seems to indicate that no patches are applied at all and no reboot are done.

What people are doing to keep GCE or other VM with up to date critical security update if this is not managed by GCP ? Is just restarting the VM fix do te trick ? Is there some special parameter to set in the YAML template of the VM ? I guess for GKE or AI notebook instances, this is managed by GCP since this is PaaS, right ? Is there some third party tools to do that.

Thanks for the clarifications.

-- Dr. Fabien Tarrade
google-cloud-platform
google-compute-engine
google-kubernetes-engine
security

1 Answer

9/2/2019

As John mentioned, for the GCE Vm instances, you are responsible for all of the packages updates and it is handled like in any other System:

Linux: sudo apt/yum update/upgrade
Windows: Windows update

There are some internal tools in each GCE image that could help you to automatically update your system:

  • Windows: automatic updates are enabled by default
  • RedHat/Centos systems: you can use yum-cron tool to enable automatic updates
  • Debian: using the tool unattended-upgrade

As per GKE, I think this is done when you upgrade your cluster version, the version of the master is upgraded automatically (since it is Google managed), but the nodes should be done by you. The node update can be automated, please see the second link below for more information.

Please check the following links for more details on how the Upgrade process works in GKE:

Upgrading your cluster
GKE Versioning and upgrades

As per "VM on which is running AI Platform notebook", I don't understand what do you mean by this. Could you provide more details

-- grimmjow_sms
Source: StackOverflow