About the GKE Compliance dashboard

This page provides an overview of the GKE Compliance dashboard in the Google Cloud console, which provides actionable insights to strengthen your security posture. To explore the dashboard yourself, go to the Compliance page in the Google Cloud console.

Go to Compliance

The GKE Compliance dashboard is available for users who have enabled GKE Enterprise.

When to use the GKE Compliance dashboard

You should use the GKE Compliance dashboard if you're a compliance officer, security administrator or platform administrator who wants to automate compliance reporting for industry benchmarks and standards, with built-in guidance for resolving compliance concerns.

Usage as part of a broad security strategy

To gain comprehensive coverage of your applications throughout the lifecycle from source control to maintenance, we recommend that you use the dashboard with other security tooling.

GKE offers the following tooling to monitor security and compliance in the Google Cloud console:

  • The security posture dashboard: available in the GKE Standard tier and the GKE Enterprise tier.
  • The GKE Compliance dashboard: available in the GKE Enterprise tier.

For more details about other available tooling and for best practices to safeguard your applications from end to end, see Protect your software supply chain.

We also strongly recommend that you implement as many recommendations as possible from Harden your cluster security.

How the GKE Compliance dashboard works

To use the GKE Compliance dashboard, enable the Container Security API in your project. The dashboard shows you insights based on the following standards:

Name

Description

CIS Google Kubernetes Engine Benchmark v1.5.0

A set of recommended security controls for configuring Google Kubernetes Engine (GKE), based on the CIS Google Kubernetes Engine (GKE) Benchmarks v1.5.0.

Pod Security Standards Baseline

A set of recommended protections for Kubernetes clusters, based on the Kubernetes Pod Security Standards (PSS) Baseline policy.

Pod Security Standards Restricted

A set of recommended protections for Kubernetes clusters, based on the Kubernetes Pod Security Standards (PSS) Restricted policy.

Benefits of the GKE Compliance dashboard

The GKE Compliance dashboard is a foundational compliance measure that you can enable for any eligible GKE Enterprise cluster. Google Cloud recommends using the GKE Compliance dashboard for all of your clusters for the following reasons:

  • End-to-end compliance: Get comprehensive compliance assessments from cluster to container workloads.
  • Actionable recommendations: When available, the compliance posture dashboard provides action items to fix discovered concerns. These actions include examples of configuration changes to make and advice about what to do to improve your compliance against specific standards.
  • Centralized visualization: The compliance posture dashboard provides a high-level visualization of concerns affecting clusters across your fleet, and includes charts and graphs to show the progress you've made and the potential impact of each concern.
  • Automated reporting: Automatically audit your workloads against opinionated, industry standards and get actionable, attestable compliance reports.

Pricing

The compliance posture dashboard is offered through the GKE Enterprise API. For more information about GKE Enterprise pricing, see the GKE Pricing page.

About the compliance page

The Compliance page in the Google Cloud console has the following tabs:

  • Dashboard: a high-level, visual representation of the results of compliance audit.
  • Concerns: a detailed, filterable view of any compliance issues detected through compliance auditing.

Dashboard

The Dashboard tab provides a visual representation of any compliance issues on your clusters and workloads. The dashboard includes charts and standard-specific information. For details about the standards available, see How the compliance posture dashboard works.

Concerns

The Concerns tab lists active compliance concerns discovered when auditing your clusters and workloads.

You can select individual standards for details and mitigation options. You can change the view to show issues for individual standards or filter by the affected cluster. To view details about a specific concern, expand the standard section until you see the description link and then click the standard description to open the Compliance Constraint pane.

Example workflow

This section is an example of the workflow for a cluster administrator who wants to check their clusters for compliance concerns against the Pod Security Standards Baseline standard.

  1. Enroll the cluster in compliance by using the Google Cloud console.
  2. Check the GKE Compliance dashboard for results, which might take up to 15 minutes to appear.
  3. Click the Concerns tab to open the detailed results.
  4. Select the Pod Security Standards Baseline standard filter.
  5. Expand Pod Security Standards Baseline and Privileged Containers, and then click Disallow privileged containers to open the Compliance Constraint pane for the Pod Security Standards Baseline standard.
  6. On the Details tab, note the recommended configuration change and update the Pod specification with the recommendation.
  7. Apply the updated Pod specification to the cluster.

The next time that the compliance audit runs, the GKE Compliance dashboard no longer displays the concern that you fixed.

What's next