GKE Security Posture Management : Automatic Detection of GKE Security Concerns
Apart from using GKE to manage applications at scale, the top most concern for everyone is security. This blog will give you a walkthrough of the integrated security scanning tools and dashboard available in GKE which helps in automatic detection of security concerns. These features are available out of the box to give you a view of security status and concerns across your clusters and workloads.
With the GKE Security Posture Management you can actively monitor the security aspects of your clusters. This dashboard reads results from multiple monitoring, analysis and scanning technologies built around GKE that give you an integrated view of security.
The dashboard is generated from two types of scans -
Workload configuration scanning
GKE workload should ideally have hardened configuration but it is difficult to manually scan all the configuration files. Workload scanning checks each pod against policies mentioned in Pod Security Standards.
Container scanning for known vulnerabilities
GKE scans container images running on Pods for known vulnerabilities from the public CVE database NIST.
Once the scan is done, following views are available in Security Posture Dashboard
The Dashboard tab has following views
- Charts that give you a severity of security concerns across your clusters.
- Types of configuration concern severity with actionable guidance.
- Types of vulnerability concerns by security with actionable guidance.
- Proportion of how many workloads are affected.
You can go to Concerns tab and double-click on the concerns and get opinionated and actionable guidance.
How to enable workload scanning on your cluster?
Use CLI to run following commands
gcloud beta container clusters update CLUSTER_NAME \
--region=COMPUTE_REGION \
--enable-workload-config-audit
CLUSTER_NAME = name of your cluster
COMPUTE_REGION = Region of your cluster or for Zonal Cluster use –-zone.
You can also view logging for the discovered concerns by going to Log Explorer and running following query:
resource.type="k8s_cluster"
jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding"
jsonPayload.type="FINDING_TYPE_MISCONFIG"
How to enable container scanning?
Use CLI to run following commands
gcloud beta container clusters update CLUSTER_NAME \
--region=COMPUTE_REGION \
--enable-workload-vulnerability-scanning
CLUSTER_NAME = name of your cluster
COMPUTE_REGION = Region of your cluster or for Zonal Cluster use — -zone
You can also view logging for the discovered container vulnerabilities by going to Log Explorer and running following query:
resource.type="k8s_cluster"
jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding"
jsonPayload.type="FINDING_TYPE_VULNERABILITY"
Additional resources & recommendations
You can read more about this on official documentation-
For preventive and proactive security measures you can secure your build and integration pipeline using following services:
- Container Vulnerability Assessment — https://cloud.google.com/container-analysis/docs/automated-scanning-howto
- Binary Authorization — https://cloud.google.com/binary-authorization/docs#training-and-tutorials