Use Forseti to make sure your Google Kubernetes Engine clusters are updated for “Meltdown" and “Spectre”
Andrew Hoying
Google Cloud Security Engineer
Last month, Project Zero disclosed details about CPU vulnerabilities that have been referred to as “Meltdown” and “Spectre,” and we let you know that Google Cloud has been updated to protect against all known vulnerabilities.
Customers running virtual machines (VMs) on Google Cloud services should continue to follow security best practices and regularly apply all security updates, just as they would for any other operating system vulnerability. We provided a full list of recommended actions for GCP customers to protect against these vulnerabilities.
One recommended action is to update all Google Kubernetes Engine clusters to ensure the underlying VM image is fully patched. You can do this automatically by enabling auto-upgrade on your Kubernetes node pools. Want to make sure all your clusters are running a version patched against these CPU vulnerabilities? The Google Cloud security team developed a scanner that can help.
The scanner is now available within Forseti Security, an open-source security toolkit for GCP, allowing you to quickly identify any Kubernetes Engine clusters that have not yet been patched.
If you’ve already installed Forseti, you’ll need to upgrade to version 1.1.10 and enable the scanner. If not, install Forseti Security on a new project in your GCP organization. The scanner will check the version of the node pools in all Kubernetes Engine clusters running in all your GCP projects on an hourly basis. Forseti writes any violations it finds to its violations table, and optionally sends an email to your GCP admins, to help you identify any lingering Meltdown exposure.
The Forseti toolkit can be used in many different ways to help you stay secure. To learn more about the Forseti community, check out this blog post. Contact discuss@forsetisecurity.org if you have any questions about this tool.