gke/ERR/2025_001

GKE cluster complies with the serial port logging organization policy.

Product: Google Kubernetes Engine
Rule class: ERR - Something that is very likely to be wrong

Description

When the constraints/compute.disableSerialPortLogging organization policy is enabled, GKE clusters must be created with logging disabled (serial-port-logging-enable: ‘false’), otherwise the creation will fail. If cluster was initially created with “serial-port-logging-enable: ‘true’” and the organization policy was enabled after that, all new node pools have to be created with explicit “serial-port-logging-enable: ‘false’”

Remediation

Cluster metadata and nodepool metadata can be defined only during the creation and they cannot be modified afterwards. To remediate you need to take either of the following steps:

  1. Disable the organization policy ex. gcloud resource-manager org-policies disable-enforce “compute.disableSerialPortAccess” –organization=112233xx4455
  2. Recreate all non-compliant clusters ex. gcloud container clusters create example-cluster
    –metadata serial-port-logging-enable=false
  3. Recreate all non-compliant node pools ex. gcloud container node-pools create node-pool-1
    –cluster=example-cluster –metadata serial-port-logging-enable=false

Further information

  1. https://cloud.google.com/resource-manager/docs/organization-policy/creating-managing-policies https://cloud.google.com/sdk/gcloud/reference/resource-manager/org-policies/disable-enforce
  2. https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--metadata
  3. https://cloud.google.com/sdk/gcloud/reference/container/node-pools/create#--metadata