Expanding GKE posture: Policy Controller violations now in Security Command Center
Poonam Lamba
Product Manager, Google
Tim Wingerter
Product Manager
Monitor and address GKE Policy Controller violations in Security Command Center
Hear monthly from our Cloud CISO in your inbox
Get the latest on security from Cloud CISO Phil Venables.
SubscribeCustomers using Kubernetes at scale need consistent guardrails for how resources are used across their environments to improve security, resource management, and flexibility. Customers have told us that they need an easy way to apply and view those policy guardrails, so we launched the Policy Controller dashboard and added support for all GKE environments.
We received further feedback from Security Administrators that policy and compliance violation reports for GKE should be available alongside security insights from across their Google Cloud estate. To address this, we are excited to announce a fully managed integration to surface Policy Controller (CIS Kubernetes Benchmark v1.5.1 and PCI-DSS v3.2.1) violations in Security Command Center (SCC) .
SCC is our built-in security and risk management solution for Google Cloud. It helps discover misconfigurations, vulnerabilities, and compliance errors that can leave cloud assets exposed to attack.
Policy Controller can help you audit or enforce fully programmable policies for your GKE cluster resources that act as "guardrails," and prevent changes from violating security, operational, or compliance controls. Policy Controller can help accelerate your application modernization efforts by helping developers release code quickly and safely. Here are some examples of policies that you can audit or enforce with Policy Controller:
- All container images must be from approved repositories
- All pods must have resource limits
- Resources running on my fleet of clusters should be CIS-K8s benchmark-compliant
- Resources running on my fleet of clusters should be NIST-800 framework-compliant
- Resources running on my fleet of clusters should be PCI-DSS benchmark-compliant
Integrating Policy Controller with SCC
Policy Controller violations are available in SCC for all Policy Controller users. Benefits of this integration include:
- Increased visibility and transparency: With SCC integration, you can get organization-wide visibility into your platform and workload violations from a single dashboard. This can lead to improved security and compliance posture and reduced risk for your organization.
- Ease of use: Fully managed integration means no additional build or operational overhead. It is available out-of-the-box.
- On-by-default: The integration will be on-by-default for all Policy Controller and Security Command Center users.
- Improved efficiency and decision-making: Integrated violations and compliance reporting provides data to inform decision making for taking the right steps to meet desired security, governance, and compliance standards.
Get started with Policy Controller and SCC integration
For existing Policy Controller and Security Command Center users, you do not need to do anything. Policy Controller violations will automatically show up in your SCC findings tab.
View Policy Controller violations from SCC Findings tab
View Finding Details for Policy Controller violations
Each Policy Controller assessment is visible alongside the other assessments SCC offers and mapped to the relevant compliance control on the SCC vulnerabilities page.
View Policy Controller findings from SCC Vulnerabilities tab
We continue to invest in building out fully managed Policy features for GKE and GKE Enterprise, focusing on ease-of-use, out-of-the-box content, and a more integrated Google Cloud experience. To get started with Policy Controller, simply install Policy Controller and try applying a policy bundle to audit your fleet of clusters against a standard such as the CIS Kubernetes benchmark. To get started with SCC today, visit the Google Cloud console and our quickstart guide.