Stay organized with collections
Save and categorize content based on your preferences.
This document describes how to configure Knative serving and its major
components following security best practices.
Securing Knative serving
Knative serving is based on the open source
Knative project, and inherits its
security posture.
Workloads running on Knative serving share the same network and compute nodes.
You should create separate clusters for workloads that don't have mutual trust.
Knative serving clusters should not run unrelated workloads like CI/CD
infrastructure or databases.
Reasons to create multiple clusters for Knative serving workloads include:
Separating development from production environments.
Isolating applications owned by different teams.
Isolating highly privileged workloads.
Once you've designed your clusters, take the following actions to help secure them:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Security best practices in Knative serving\n\nThis document describes how to configure Knative serving and its major\ncomponents following security best practices.\n\nSecuring Knative serving\n------------------------\n\nKnative serving is based on the open source\n[Knative](https://knative.dev/) project, and inherits its\nsecurity posture.\n\nWorkloads running on Knative serving share the same network and compute nodes.\nYou should create separate clusters for workloads that don't have mutual trust.\nKnative serving clusters should not run unrelated workloads like CI/CD\ninfrastructure or databases.\n\nReasons to create multiple clusters for Knative serving workloads include:\n\n- Separating development from production environments.\n- Isolating applications owned by different teams.\n- Isolating highly privileged workloads.\n\nOnce you've designed your clusters, take the following actions to help secure them:\n\n- [Restrict access to your cluster](/kubernetes-engine/enterprise/knative-serving/docs/securing/managing-access).\n- [Understand the Knative threat model](https://github.com/knative/community/blob/main/working-groups/security/threat-model.md).\n- [Read the Knative security reference if you plan to use community supported tooling](https://knative.dev/docs/reference/security/).\n\nSecuring components\n-------------------\n\nYou are responsible for securing components that aren't [part of Knative serving](/kubernetes-engine/enterprise/knative-serving/docs/architecture-overview#components_in_the_default_installation).\n\n### Cloud Service Mesh\n\nKnative serving relies on\n[Cloud Service Mesh for routing traffic](/kubernetes-engine/enterprise/knative-serving/docs/architecture-overview#components_in_the_default_installation).\n\nUse the following guides to help you secure Cloud Service Mesh:\n\n- [Cloud Service Mesh security overview and features](/service-mesh/v1.18/docs/security/security-overview).\n- [Cloud Service Mesh security best practices](/service-mesh/v1.18/docs/security/anthos-service-mesh-security-best-practices).\n\n### Google Kubernetes Engine\n\nKnative serving uses Google Kubernetes Engine (GKE) to schedule workloads.\nTake the following actions to help you secure your clusters:\n\n- [Follow the GKE Enterprise security tutorial](/anthos/docs/tutorials/security).\n- [Understand the Google Kubernetes Engine multi-tenancy model](/kubernetes-engine/docs/concepts/multitenancy-overview).\n- [Follow the Google Kubernetes Engine cluster hardening guide](/kubernetes-engine/docs/how-to/hardening-your-cluster).\n- [Understand the Google Kubernetes Engine shared responsibility model](/kubernetes-engine/docs/concepts/shared-responsibility).\n\nKnown vulnerabilities\n---------------------\n\nYou should subscribe to the security bulletins for Knative serving dependencies\nso you can keep up-to-date with known vulnerabilities:\n\n- [Cloud Service Mesh security bulletins](/service-mesh/v1.18/docs/security-bulletins).\n- [GKE Enterprise security bulletins](/anthos/clusters/docs/security-bulletins)."]]
