Audit clusters for compliance standards

This page shows you how to automatically audit your clusters for compliance concerns and get actionable recommendations to improve the compliance of your Google Kubernetes Engine (GKE) Enterprise edition clusters. Compliance auditing is a feature of the GKE Compliance dashboard. For more information, see About the GKE Compliance dashboard.

Supported compliance standards

Compliance auditing scans your clusters for compliance against the following standards and provides recommendations to improve your compliance posture:

Name	Description
CIS Google Kubernetes Engine Benchmark v1.5.0	A set of recommended security controls for configuring Google Kubernetes Engine (GKE), based on the CIS Google Kubernetes Engine (GKE) Benchmarks v1.5.0.
Pod Security Standards Baseline	A set of recommended protections for Kubernetes clusters, based on the Kubernetes Pod Security Standards (PSS) Baseline policy.
Pod Security Standards Restricted	A set of recommended protections for Kubernetes clusters, based on the Kubernetes Pod Security Standards (PSS) Restricted policy.

Pricing

The GKE Compliance dashboard is available for users who have enabled GKE Enterprise.

Before you begin

Before you start, make sure you have performed the following tasks:

• Enable the GKE Enterprise API.

  Enable GKE Enterprise API

• Enable the Container Security API.

  Enable Container Security API

• Create a cluster and register it to a fleet.

Requirements

To get the permissions that you need to use compliance auditing, ask your administrator to grant you the following IAM roles on your Google Cloud project:

• Container Security Viewer (roles/containersecurity.viewer)
• Fleet Viewer (formerly GKE Hub Viewer) (roles/gkehub.viewer)

For more information about granting roles, see Manage access.

These predefined roles contain the permissions required to use compliance auditing. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to use compliance auditing:

• resourcemanager.projects.get
• resourcemanager.projects.list
• containersecurity.locations.list
• containersecurity.locations.get
• containersecurity.clusterSummaries.list
• containersecurity.findings.list
• container.clusters.list
• gkehub.features.get
• gkehub.memberships.list

You might also be able to get these permissions with custom roles or other predefined roles.

Audit cluster compliance

You can enable compliance auditing on your cluster by using the Google Cloud console.

Enable compliance auditing on an existing cluster

1. Go to the Compliance page in the Google Cloud console.

   Go to Compliance

2. In the Settings card, click Select clusters.

3. In the Audit disabled tab, select the checkboxes for the clusters that you want to add.

4. Click Enable to enable auditing on those clusters.

Test compliance auditing

Deploy a sample Pod that intentionally violates the Pod Security Standards.

1. Save the following manifest as noncompliant-sample.yaml:

   apiVersion: v1
   kind: Pod
   metadata:
     namespace: default
     name: wp-non-compliant
     labels:
       app: wordpress
   spec:
     containers:
     - image: nginx
       name: wordpress
       securityContext:
         capabilities:
           add:
           - NET_RAW
   

2. Apply the resource to your cluster:

   kubectl apply -f noncompliant-sample.yaml
   

If you want to try other violations, modify noncompliant-sample.yaml with a different, non-compliant configuration.

View and resolve compliance issues

The initial audit takes up to 15 minutes to return results. You can view the results on the Compliance page or as entries in your cluster logs.

View results

To see an overview of compliance issues across your project's clusters, do the following:

1. Go to the Compliance page in the Google Cloud console.

   Go to Compliance

2. Click the Concerns tab.

3. In the Filter concerns pane, in the Standards section, select the standard for which you want details.

View standard details and recommendations

To view detailed information information about a specific standard, expand the standard section until you see the description link and then click the standard description to open the Compliance Constraint pane.

The Details tab shows the following information:

• Description: a description of the standard.
• Recommended action: an overview of actions that you can take to fix the compliance issue.

The Affected Resources tab lists the resources affected by the standard.

View logs for discovered concerns

For discovered compliance concerns, you can view a corresponding entry in Logging.

1. Go to the Logs Explorer in the Google Cloud console.

   Go to Logs Explorer

2. In the Query field, specify the following query:

   resource.type="k8s_cluster"
   jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding"
   jsonPayload.type="FINDING_TYPE_MISCONFIG"
   jsonPayload.configuration.violation:*
   

3. Click Run query.

To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, see Configure log-based alerts.

Clean up

Delete the sample Pod that you deployed:

kubectl delete pod wp-non-compliant

Disable compliance auditing

You can disable compliance auditing by using the Google Cloud console.

1. Go to the Compliance page in the Google Cloud console.

   Go to Compliance

2. In the Settings card, click Select clusters.

3. In the Audit enabled tab, select the checkboxes for the clusters that you want to remove.

4. Click Disable to disable auditing on those clusters.

Limitations

• Windows Server node pools aren't supported.
• Compliance auditing doesn't scan GKE-managed workloads, such as workloads in the kube-system namespace.
• Compliance auditing is only available for clusters with less than 1,000 nodes.

What's next

• Learn more about the GKE Compliance dashboard