This documentation is for the Latest version of Cloud Run for Anthos, which uses Anthos fleets and Anthos Service Mesh. Learn more.

The past version has been archived but the documentation remains available for existing users.

Security best practices in Cloud Run for Anthos

This document describes how to configure Cloud Run for Anthos and its major components following security best practices.

Securing Cloud Run for Anthos

Cloud Run for Anthos is based on the open source Knative project, and inherits its security posture.

Workloads running on Cloud Run for Anthos share the same network and compute nodes. You should create separate clusters for workloads that don't have mutual trust. Cloud Run for Anthos clusters should not run unrelated workloads like CI/CD infrastructure or databases.

Reasons to create multiple clusters for Cloud Run for Anthos workloads include:

  • Separating development from production environments.
  • Isolating applications owned by different teams.
  • Isolating highly privileged workloads.

Once you've designed your clusters, take the following actions to help secure them:

Securing components

You are responsible for securing components that aren't part of Cloud Run for Anthos.

Anthos Service Mesh

Cloud Run for Anthos relies on Anthos Service Mesh for routing traffic.

Use the following guides to help you secure Anthos Service Mesh:

Google Kubernetes Engine

Cloud Run for Anthos uses Google Kubernetes Engine (GKE) to schedule workloads. Take the following actions to help you secure your clusters:

Known vulnerabilities

You should subscribe to the security bulletins for Cloud Run for Anthos dependencies so you can keep up-to-date with known vulnerabilities: