The Anthos security blueprints provide you with prescriptive information and instructions for achieving a set of security postures when you create or migrate workloads that use Anthos clusters.
The blueprints consist of the following documents:
- Auditing and monitoring for deviation from policy
- Enforcing locality restrictions for clusters on Google Cloud
- Enforcing policies
- Managing secrets
- Protecting API endpoints
- Restricting traffic
How do I use the blueprints?
The Anthos security blueprints repository on GitHub has resources and artifacts that show you how to achieve a set of security postures when you create or migrate workloads that use Anthos clusters. To use the blueprints, you first clone the repository and then you follow the guidance for configuring your clusters. The guidance describes how to apply the appropriate set of controls to reach the security postures that are explained in the accompanying guides.
Each blueprint is made up of the following elements:
- An implementation guide
- Deployable assets for different security postures. The assets consist of
- Custom resource definitions expressed as YAML files
- Terraform templates and scripts
- Detailed instructions
We recommend that you read through the implementation guides and review the associated README files before you implement any of the blueprints. The blueprints are additive, so you can apply multiple blueprints to your environments.
Are the blueprints the only way to achieve security postures when using Anthos?
No. There are many ways to interpret and implement controls to achieve the security postures. This collection of blueprints is designed as a set of best practices and recommendations to support you in helping you meet your security requirements.
Does the Anthos blueprint collection include best practices for GKE on-prem?
Yes. Most of the blueprints are applicable to Anthos GKE clusters no matter where they are deployed. Some guidance is applicable to GKE on Google Cloud only. The guides and README files point out places where the instructions are specific to GKE on Google Cloud.
Can the blueprints help me meet my regulatory compliance requirements?
The blueprints address a range of security postures. You can use each blueprint to help you meet your regulatory compliance posture by addressing specific controls that are listed in the regulatory and compliance documentation.
For a comprehensive, end-to-end blueprint, see our compliance and regulatory blueprints, such as the PCI on GKE blueprint. Note that implementing any compliance controls is your responsibility, and we recommend that you conduct your own evaluation of your organization's compliance. For more information about the shared responsibility model, see Exploring container security: the shared responsibility model in GKE on the Google Cloud blog.
What services are supported by the guidance in these blueprints?
For a full list of supported services, see the implementation guide and the README files in the Anthos Security blueprint repository on GitHub.
Do you accept contributions to the Anthos security blueprints repository on GitHub?
Yes. You can submit a pull request or fork the repository.
- Hardening your cluster's security in the GKE documentation
- Hardening your cluster's security in the GKE on-prem documentation
- Security Blueprint: PCI for GKE
- Using Policy Controller in a CI pipeline in the Anthos Config Management documentation
- Best practices for policy management with Anthos Config Management