GKE Enterprise shared responsibility
Running a business-critical application on GKE Enterprise requires multiple parties to carry different responsibilities. While not an exhaustive list, this topic lists the roles and responsibilities for each GKE Enterprise cluster option for both Google and the customer.
This page is for Admins, Architects, and Operators who manage the lifecycle of the underlying tech infrastructure. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.
GKE on Google Cloud
Google's responsibilities
- Protecting the underlying infrastructure, including hardware, firmware, kernel, OS, storage, network, and more. This includes encrypting data at rest by default, providing additional customer-managed disk encryption, encrypting data in transit, using custom-designed hardware, laying private network cables, protecting data centers from physical access, protecting the bootloader and kernel against modification using Shielded Nodes, and following secure software development practices.
- Hardening and patching the nodes' operating system, such as Container-Optimized OS or Ubuntu. GKE promptly makes any patches to these images available. If you have auto-upgrade enabled, or are using a release channel, these updates are automatically deployed. This is the OS layer underneath your container—it's not the same as the operating system running in your containers.
- Building and operating threat detection for container-specific threats into the kernel with Container Threat Detection (priced separately with Security Command Center).
- Hardening and
patching
Kubernetes node components. All GKE managed components are upgraded
automatically when you upgrade GKE node versions. This includes:
- vTPM-backed trusted bootstrap mechanism for issuing kubelet TLS certificates and auto-rotation of the certificates
- Hardened kubelet configuration following CIS benchmarks
- GKE metadata server for Workload identity
- GKE's native Container Network Interface plugin and Calico for NetworkPolicy
- GKE Kubernetes storage integrations such as the CSI driver
- GKE logging and monitoring agents
- Hardening and patching the control plane. The control plane includes the control plane VM, API server, scheduler, controller manager, cluster CA, TLS certificate issuance and rotation, root-of-trust key material, IAM authenticator and authorizer, audit logging configuration, etcd, and various other controllers. All of your control plane components run on Google-operated Compute Engine instances. These instances are single tenant, meaning each instance runs the control plane and its components for only one customer.
- Provide Google Cloud integrations for Connect, Identity and Access Management, Cloud Audit Logs, Google Cloud Observability, Cloud Key Management Service, Security Command Center, and others.
- Restrict and log Google administrative access to customer clusters for contractual support purposes with Access Transparency.
Customer's responsibilities
- Maintain your workloads, including your application code, build files, container images, data, Role-based access control (RBAC)/IAM policy, and containers and pods that you are running.
- Rotate your clusters credentials.
- Enroll clusters in auto-upgrade (default) or upgrade clusters to supported versions.
- Monitor the cluster and applications and respond to any alerts and incidents using technologies such as the security posture dashboard and Google Cloud Observability.
- Provide Google with environmental details when requested for troubleshooting purposes.
- Ensure Logging and Monitoring are enabled on clusters. Without logs, support is available on a best-effort basis.
Google Distributed Cloud (software-only) on VMware
Google's responsibilities
Maintain and distribute the Google Distributed Cloud software package including Kubernetes, vCenter and F5 controllers, Ingress controller, Connect, Logging, and Monitoring agents, and the
gkectl
command line tool.Maintain and distribute the Ubuntu admin workstation and node machine images including regular patching and security fixes.
Continually scan components with the Artifact Analysis API and patch known vulnerabilities.
Notify users of available upgrades for Google Distributed Cloud, and producing upgrade scripts for the previous version; Google Distributed Cloud on VMware supports sequential upgrades only (1.2 → 1.3 → 1.4 only and not 1.2 → 1.4).
Provide Google Cloud integrations for Connect and Google Cloud Observability.
Troubleshoot, provide workarounds, and correct the root cause of any issues related to Google-provided components.
Customer's responsibilities
Overall system administration for on-premises clusters.
Maintain your workloads, including your application code, build files, container images, data, Role-based access control (RBAC)/IAM policy, and containers and pods that you are running.
Operate, maintain, and patch infrastructure, including networks, servers, storage, and connectivity to Google Cloud.
Operate, maintain, and patch vSphere and network load balancers.
Maintain support contracts with VMware and F5 (if deployed).
Upgrade Google Distributed Cloud to a supported version on a regular basis.
Deploy and test your workloads on updated node machine images. Deploy and test updated admin workstation images in your environment. Raise concerns to Google through Cloud Customer Care.
Monitor clusters and applications and respond to any incidents.
Ensure Logging and Monitoring agents are deployed to clusters. Without logs, support is available on a best-effort basis.
Provide Google with environmental details (for example, network configuration) when requested for troubleshooting purposes.
Google Distributed Cloud (software-only) on bare metal
Google's responsibilities
Maintain and distribute the Google Distributed Cloud software package including Kubernetes, Ingress controller, Connect and Logging and Monitoring agents, and the
bmctl
command line tool.Continually scan components with the Artifact Analysis API and patch known vulnerabilities.
Notify users of available upgrades for Google Distributed Cloud, and produce upgrade instructions for the previous version; Google Distributed Cloud on bare metal supports sequential upgrades between minor versions and patch releases (1.2 → 1.3 → 1.4 only and not 1.2 → 1.4).
Provide Google Cloud integrations for Connect and Google Cloud Observability.
Troubleshoot, provide workarounds, and correct the root cause of any issues related to Google-provided components.
Customer's responsibilities
Provide overall system administration for clusters.
Maintain your workloads, including your application code, build files, container images, data, RBAC/IAM allow policy, and containers and pods that you are running.
Operate, maintain, and patch infrastructure, including networks, servers, storage, and connectivity to Google Cloud.
Maintain support contracts with vendors.
Upgrade Google Distributed Cloud to a supported version on a regular basis.
Deploy and test your workloads on updated node machine images. Deploy and test updated Admin workstation images in your environment. Raise concerns to Google through Cloud Customer Care.
Monitor clusters and applications and respond to any incidents.
Ensure Logging and Monitoring agents are deployed to clusters. Without logs, support is available on a best-effort basis.
Provide Google with environmental details (for example, network configuration) when requested for troubleshooting purposes.
GKE on AWS (multi-cloud)
Google's responsibilities
Maintain and distribute the GKE on AWS software package including Kubernetes, base images, the AWS integration features, the Ingress controller, the Connect agent, and the
anthos-gke
command line tool.Continually scan components with the Artifact Analysis API and patch known vulnerabilities.
Maintain and distribute the management service, control plane, and node pool machine images, including regular patching and security fixes.
Notify users of available upgrades for GKE on AWS, and produce upgrade instructions for the previous version. GKE on AWS supports sequential upgrades only (1.2 → 1.3 → 1.4 only and not 1.2 → 1.4).
Provide Google Cloud integrations for Connect and Google Cloud Observability.
Troubleshoot, provide workarounds, and correct the root cause of any issues related to Google-provided components.
Customer's responsibilities
Provide overall system administration for GKE on AWS clusters. For example, configuring them to work within the corporate VPC environment.
Maintain your workloads, including your application code, build files, container images, data, RBAC/IAM allow policy, and containers and pods that you are running.
Operate and maintain the AWS environment, including networking configuration, and connectivity to Google Cloud.
Maintain support contracts with AWS.
Upgrade GKE on AWS to a supported version on a regular basis.
Monitor clusters and applications and respond to any incidents.
Ensure Logging and Monitoring agents are deployed to clusters. Without logs, support is available on a best-effort basis.
Provide Google with environmental details (for example, AWS VPC configuration) when requested for troubleshooting purposes.
GKE on Azure
Google's responsibilities
Maintain and distribute the GKE on Azure software package including Kubernetes, base images, Azure integrations, the Ingress controller, the Connect agent, and the Google Cloud CLI.
Continually scan components with the Artifact Analysis API and patch known vulnerabilities.
Maintain and distribute the management service, control plane, and node pool machine images, including regular patching and security fixes.
Notify users of available upgrades for GKE on Azure, and produce upgrade instructions for the previous version. GKE on Azure supports sequential upgrades only (1.2 → 1.3 → 1.4 only and not 1.2 → 1.4).
Provide Google Cloud integrations for Connect and Google Cloud Observability.
Troubleshoot, provide workarounds, and correct the root cause of any issues related to Google-provided components.
Customer's responsibilities
Provide overall system administration for GKE on Azure clusters. For example, configuring them to work within the corporate VPC environment.
Maintain your workloads, including your application code, build files, container images, data, RBAC/IAM allow policy, and containers and pods that you are running.
Operate and maintain the Azure environment, including networking configuration, and connectivity to Google Cloud.
Maintain support contracts with Azure.
Upgrade GKE on Azure to a supported version on a regular basis.
Monitor clusters and applications and respond to any incidents.
Ensure Logging and Monitoring agents are deployed to clusters. Without logs, support is available on a best-effort basis.
Provide Google with environmental details (for example, Azure VNet configuration) when requested for troubleshooting purposes.
GKE Enterprise attached clusters
Google's responsibilities
Provide a list of supported Kubernetes distributions and versions.
Notify users of available upgrades for GKE Enterprise components, and produce upgrade instructions for the previous version. GKE Enterprise supports sequential upgrades only (1.2 → 1.3 → 1.4 only and not 1.2 → 1.4).
Provide Google Cloud integrations for Connect and Google Cloud Observability.
Troubleshooting, providing workarounds, and correcting the root cause of any issues related to Google-provided components.
Customer's responsibilities
Provide a modern Kubernetes platform that meets Google's specifications. The platform includes, but is not limited to: hardware, OS, Kubernetes API server, VPC configuration, and other attributes.
Maintain your workloads, including your application code, build files, container images, data, RBAC/IAM allow policy, and containers and pods that you are running.
Operate, maintain, and patch infrastructure, including networks, servers, storage, and connectivity to Google Cloud.
Operate, maintain, and patch any infrastructure needed to run cluster.
Maintain support contracts with third-parties. For example: networking, container orchestration, computing resource, and storage vendors.
Upgrade Kubernetes to a supported version on a regular basis.
Monitor clusters and applications and respond to any incidents.
Keep your clusters connected to Google services.
Provide Google with environmental details (for example, network configuration) when requested for troubleshooting purposes.
What's next
Learn about how Google handles Security patching for GKE Enterprise.
Configure Logging and Monitoring for: