Secure your fleet

Google Cloud provides a range of features to secure your fleet and the applications that run on it. This page provides an overview of fleet security features, with links to find out more.

Manage identity

Google Cloud provides the following options for authenticating to fleet clusters in a simple, consistent, and secured way, wherever the clusters live. After you have set up authentication, you can configure more fine-grained access control to your clusters using Kubernetes role-based access control (RBAC).

Authenticate with Google Cloud

All GKE clusters on Google Cloud are configured to accept Google Cloud user and service account identities by default. If your fleet contains clusters in multiple environments, you can configure the Connect gateway so that users and service accounts can also authenticate to any registered cluster using their Google Cloud ID.

Learn more about setting up and using authentication with Google Cloud in the following guides:

• Configuring cluster access for kubectl
• Connecting to registered clusters with the Connect gateway
• Setting up the Connect gateway
• Using the Connect gateway

Authenticate with third-party providers

If you want to use your existing third-party identity provider to authenticate to your fleet clusters, GKE Identity Service is an authentication service that lets you bring your existing identity solutions to multiple environments. It supports all OpenID Connect (OIDC) providers such as Okta and Microsoft AD FS, as well as preview support for LDAP providers in some environments. You can set up GKE Identity Service on a cluster-by-cluster basis or with a single configuration for your entire fleet, where supported.

Learn more about setting up and using third-party authentication, including supported environments and providers, in the following guides:

• Introducing GKE Identity Service
• Accessing clusters with GKE Identity Service

Authenticate with a bearer token

If the preceding Google-provided solutions aren't suitable for your organization, you can set up authentication using a Kubernetes service account and using its bearer token to log in. For details, see Set up using a bearer token.

Manage cluster policies

Policy Controller enables the enforcement of fully programmable policies for your fleet clusters. These policies act as "guardrails" and prevent any changes to the configuration of the Kubernetes API from violating security, operational, or compliance controls.

Learn more about what you can do with Policy Controller in the Policy Controller documentation.

Manage fleet security

Google Cloud provides a range of features and products that improve the security of your fleets and workloads, such as the following:

• Binary Authorization to ensure that only trusted images are deployed on your fleet clusters
• Kubernetes network policies to control connections between Pods
• Fine-grained service access control for Anthos Service Mesh

To monitor the security of your fleet clusters, use the following dashboards in the Google Cloud console:

• GKE Enterprise Security dashboard: View the security features in your fleet clusters on Google Cloud, VMware, and bare metal. Provides a detailed policy audit view to modify configurations and improve security. For more information, see Monitoring application security in GKE Enterprise.
• GKE security posture dashboard: Monitor the security posture of your fleet's GKE clusters and get actionable recommendations to fix discovered concerns. Capabilities include vulnerability scanning, configuration auditing, and security bulletin surfacing. For details and a full list of capabilities, see About the security posture dashboard.

Monitor fleets of GKE clusters

The GKE security posture dashboard helps you assess and manage your fleet's GKE clusters for security concerns such as the following:

• Configuration auditing: Misconfigurations in workload specifications, such as over-privileged Pods.
• Vulnerability scanning: Actionable vulnerabilities in container operating systems or language packages.

The dashboard displays discovered concerns for all of the clusters in the selected fleet and for any standalone GKE clusters in the selected project. For more information, see Fleet view.

For pricing information, see GKE security posture dashboard pricing.

Configure security posture dashboard features at fleet level

Google Cloud lets you manage the security of your fleets at fleet level so that all the clusters in your fleet can use the same settings for security observability. You can enable GKE Enterprise and configure GKE's security posture dashboard features for your fleets by using the gcloud CLI.

Learn how to configure security posture dashboard features for your fleet.

Fleet security resources

Learn more about fleet security features in the following guides:

• Monitor application security
• Binary Authorization
• Kubernetes network policies
• Application security in Anthos Service Mesh:
  • Authorization policy overview
  • Configuring transport security
  • Monitoring mesh security