Security overview

This page provides an introduction to establishing good security practices for GKE on Bare Metal. The guidance on this page is not intended to provide you with a comprehensive list of best practices.

Using good practices for security on GKE on Bare Metal involves applying concepts from Kubernetes and Google Kubernetes Engine (GKE), as well as concepts that are unique to GKE on Bare Metal.

Kubernetes security

We recommend that you follow general Kubernetes guidelines for security when you're using GKE on Bare Metal.

For an introduction to Kubernetes security guidelines, see the Security Checklist and Overview of Cloud Native Security in the Kubernetes documentation.

GKE security

GKE on Bare Metal extends GKE to let you create GKE clusters on your own Linux servers on your own premises. To learn more about GKE security, see the GKE security overview. As you're reading, keep in mind that because your control plane and nodes run on-premises, the suggestions for control plane security and node security don't apply.

GKE on Bare Metal security

The following sections provide guidance for establishing good security practices for GKE on Bare Metal.

Hardware security

• Secure your on-premises data centers with industry standard physical security and safety features.

• Ensure that access to your admin workstation is highly restricted. The admin workstation stores sensitive data such as kubeconfig files, SSH keys, and service account keys.

Node security

• Keep your operating system up-to-date by updating software packages and installing security patches.

Cluster security

• Harden the security of your GKE on Bare Metal clusters.

• Isolate your traffic and data by using an admin and user cluster deployment. This deployment type helps you to achieve the following types of isolation:

  • Workload traffic is isolated from administrative, or management plane traffic.
  • Cluster access is isolated by group or role.
  • Production workloads are isolated from development workloads.

• Upgrade your clusters to a supported version. Using a supported version provides you with the following security benefits:

  • Fixes for security vulnerabilities.
  • New features and functions that take advantage of latest security posture and technologies.
  • Updates for bundled software and components.

Workload security

• Secure your containers using Security-Enhanced Linux (SELinux).

• Secure your workloads with Binary Authorization. Binary Authorization is a service on Google Cloud that provides software supply-chain security for applications that run in the cloud. With Binary Authorization, you can ensure that internal processes that safeguard the quality and integrity of your software have successfully completed before an application is deployed to your production environment.

• Use Workload Identity to give Pods access to Google Cloud resources. Workload Identity allows a Kubernetes service account to run as an IAM service account. Pods that run as the Kubernetes service account have the permissions of the IAM service account.

• Follow the best practices for GKE RBAC.

Network security

• Choose a secure connection between your GKE on Bare Metal and Google Cloud. After your fundamental connection is in place, add features that enhance the security of your connection.

• Limit the exposure of your clusters to the public internet by installing them behind a proxy and creating firewall rules. Also use the appropriate controls in your network environment to limit public access to the cluster.

Authentication security

• Manage identity with GKE Identity Service. GKE Identity Service is an authentication service that lets you bring your existing identity solutions for authentication to multiple Google Kubernetes Engine (GKE) Enterprise edition environments. You can sign in to and use your GKE on Bare Metal clusters from the command line (all providers) or from the Google Cloud console (OIDC only), all using your existing identity provider.

• Connect to registered clusters with the Connect gateway. The Connect gateway builds on the power of fleets to let GKE Enterprise users connect to and run commands against registered clusters in a simple, consistent, and secured way.

Credential security

• Rotate certificate authorities. GKE on Bare Metal uses certificates and private keys to authenticate and encrypt connections between system components in clusters. To maintain secure cluster communication, rotate your user cluster certificate authorities periodically and whenever there is a possible security breach.

• Rotate service account keys. To reduce the security risk caused by leaked keys, we recommend that you regularly rotate your service keys.

Monitor your security

• Use Kubernetes audit logging. Audit logging provides a way for administrators to retain, query, process, and alert on events that occur in your GKE on Bare Metal environments.

For more information about monitoring cluster security, see Monitor fleet security posture.