GKE Security Posture Management : Automatic Detection of GKE Security Concerns

Apart from using GKE to manage applications at scale, the top most concern for everyone is security. This blog will give you a walkthrough of the integrated security scanning tools and dashboard available in GKE which helps in automatic detection of security concerns. These features are available out of the box to give you a view of security status and concerns across your clusters and workloads.

With the GKE Security Posture Management you can actively monitor the security aspects of your clusters. This dashboard reads results from multiple monitoring, analysis and scanning technologies built around GKE that give you an integrated view of security.

The dashboard is generated from two types of scans -

Workload configuration scanning

GKE workload should ideally have hardened configuration but it is difficult to manually scan all the configuration files. Workload scanning checks each pod against policies mentioned in Pod Security Standards.

Container scanning for known vulnerabilities

GKE scans container images running on Pods for known vulnerabilities from the public CVE database NIST.

Once the scan is done, following views are available in Security Posture Dashboard

Security Posture — Main Dashboard

The Dashboard tab has following views

• Charts that give you a severity of security concerns across your clusters.
• Types of configuration concern severity with actionable guidance.
• Types of vulnerability concerns by security with actionable guidance.
• Proportion of how many workloads are affected.

Security Posture — Concerns Dashboard

You can go to Concerns tab and double-click on the concerns and get opinionated and actionable guidance.

Vulnerability Scan Results

Configuration concern and recommended actions

How to enable workload scanning on your cluster?

Use CLI to run following commands

gcloud beta container clusters update CLUSTER_NAME \
    --region=COMPUTE_REGION \
    --enable-workload-config-audit

CLUSTER_NAME = name of your cluster

COMPUTE_REGION = Region of your cluster or for Zonal Cluster use –-zone.

You can also view logging for the discovered concerns by going to Log Explorer and running following query:

resource.type="k8s_cluster"
jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding"
jsonPayload.type="FINDING_TYPE_MISCONFIG"

How to enable container scanning?

Use CLI to run following commands

gcloud beta container clusters update CLUSTER_NAME \
  --region=COMPUTE_REGION \
  --enable-workload-vulnerability-scanning

CLUSTER_NAME = name of your cluster

COMPUTE_REGION = Region of your cluster or for Zonal Cluster use — -zone

You can also view logging for the discovered container vulnerabilities by going to Log Explorer and running following query:

resource.type="k8s_cluster"
jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding"
jsonPayload.type="FINDING_TYPE_VULNERABILITY"

Additional resources & recommendations

You can read more about this on official documentation-

About the security posture dashboard | Google Kubernetes Engine (GKE) | Google Cloud

For preventive and proactive security measures you can secure your build and integration pipeline using following services:

• Container Vulnerability Assessment — https://cloud.google.com/container-analysis/docs/automated-scanning-howto
• Binary Authorization — https://cloud.google.com/binary-authorization/docs#training-and-tutorials