This page describes GKE threat detection, which lets you scan your eligible GKE clusters for active threats in the GKE security posture dashboard. The GKE security posture dashboard lets you enable various scanning and auditing capabilities in eligible GKE clusters and displays actionable recommendations to help you resolve security issues.
How it works
GKE threat detection is an advanced GKE security posture dashboard capability that's available to GKE Enterprise users. When your GKE clusters are registered in a fleet, GKE threat detection evaluates your GKE audit logs in Cloud Logging against a set of predefined rules for cluster and workload threats. If a threat is found, you see a finding in the GKE security posture dashboard with a description of the threat, the potential impact, and recommended actions to mitigate the threat.
All enrolled GKE clusters across your fleet are continuously scanned for active threats. We classify detected threats using MITRE ATT&CK® tactics.
GKE threat detection is powered by the Security Command Center Event Threat Detection service. In the GKE security posture dashboard, only the subset of rules that apply to GKE are evaluated.
Included GKE security posture features
GKE threat detection is bundled with the advanced tier of Kubernetes security posture scanning. When you activate GKE threat detection in a cluster, you also activate the following scanning features:
Usage as part of a broad security strategy
GKE threat detection is one of various security observability products that you should use in your environment. We strongly recommend that you use other features of the GKE security posture dashboard, like vulnerability scanning, to ensure that you're monitoring your clusters for a range of security issues. For more information, see About the security posture dashboard in the GKE documentation.
We also recommend that you implement as many security measures from Harden your cluster security as you can in your clusters and workloads.
Pricing
GKE threat detection is offered at no extra cost through GKE Enterprise.
GKE threat detection predefined rules
The following table describes the evaluation rules against which GKE threat detection evaluates your GKE audit logs:
| Display name | API name | Log source types | Description |
|---|---|---|---|
| Defense Evasion: Breakglass Workload Deployment CreatedPreview | BINARY_AUTHORIZATION_BREAKGLASS_WORKLOAD_CREATE |
Cloud Audit Logs: Admin Activity logs |
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls. |
| Defense Evasion: Breakglass Workload Deployment UpdatedPreview | BINARY_AUTHORIZATION_BREAKGLASS_WORKLOAD_UPDATE |
Cloud Audit Logs: Admin Activity logs |
Detects when workloads are updated by using the break-glass flag to override Binary Authorization controls. |
| Discovery: Can get sensitive Kubernetes object check | GKE_CONTROL_PLANE_CAN_GET_SENSITIVE_OBJECT |
Cloud Audit Logs: GKE Data Access logs |
A potentially malicious actor attempted to determine what sensitive objects in
GKE they can query for, by using the
|
| Privilege Escalation: Changes to sensitive Kubernetes RBAC objects | GKE_CONTROL_PLANE_EDIT_SENSITIVE_RBAC_OBJECT |
Cloud Audit Logs: GKE Admin Activity logs |
To escalate privilege, a potentially malicious actor attempted to modify a
ClusterRole, RoleBinding, or ClusterRoleBinding role-based access
control (RBAC) object of the sensitive cluster-admin
role by using a PUT or PATCH request.
|
| Privilege Escalation: Create Kubernetes CSR for master cert | GKE_CONTROL_PLANE_CSR_FOR_MASTER_CERT |
Cloud Audit Logs: GKE Admin Activity logs |
A potentially malicious actor created a Kubernetes master certificate
signing request (CSR), which gives them cluster-admin
access. |
| Privilege Escalation: Creation of sensitive Kubernetes bindings | GKE_CONTROL_PLANE_CREATE_SENSITIVE_BINDING |
Cloud Audit Logs: IAM Admin Activity audit logs |
To escalate privilege, a potentially malicious actor attempted to create
a new RoleBinding or ClusterRoleBinding object for
the cluster-admin
role.
|
| Privilege Escalation: Get Kubernetes CSR with compromised bootstrap credentials | GKE_CONTROL_PLANE_GET_CSR_WITH_COMPROMISED_BOOTSTRAP_CREDENTIALS |
Cloud Audit Logs: GKE Data Access logs |
A potentially malicious actor queried for a certificate
signing request (CSR), with the kubectl command, using
compromised bootstrap credentials. |
| Privilege Escalation: Launch of privileged Kubernetes container | GKE_CONTROL_PLANE_LAUNCH_PRIVILEGED_CONTAINER |
Cloud Audit Logs: GKE Admin Activity logs |
A potentially malicious actor created a Pod that contains privileged containers or containers with privilege escalation capabilities. A privileged container has the |
| Credential Access: Secrets Accessed In Kubernetes Namespace | SECRETS_ACCESSED_IN_KUBERNETES_NAMESPACE |
Cloud Audit Logs: GKE Data Access logs |
Detects when secrets or service account tokens are accessed by a service account in the current Kubernetes namespace. |
| Initial Access: Anonymous GKE Resource Created from the Internet Preview | GKE_RESOURCE_CREATED_ANONYMOUSLY_FROM_INTERNET |
Cloud Audit Logs: GKE Admin Activity logs |
Detects resource creation events from effectively anonymous internet users. |
| Initial Access: GKE Resource Modified Anonymously from the Internet Preview | GKE_RESOURCE_MODIFIED_ANONYMOUSLY_FROM_INTERNET |
Cloud Audit Logs: GKE Admin Activity logs |
Detects resource manipulation events from effectively anonymous internet users. |
How to enable GKE threat detection
To enable GKE threat detection, you enroll an eligible cluster in the advanced tier of Kubernetes security posture scanning. This also activates all of the capabilities included in the Kubernetes security posture scanning basic tier, like workload configuration auditing and security bulletin surfacing.
To learn more, see Find threats in clusters using GKE threat detection.
Limitations
The following limitations apply to GKE threat detection:
- Only available in GKE Enterprise
- Only available for projects in organizations
- Doesn't support Security Command Center options like configuring data residency
- Only shows results for clusters that are registered to a fleet
- GKE retains threat findings that no longer have any associated affected resources for up to 180 days
- Only shows results for existing clusters. If you delete a cluster, GKE threat detection no longer shows the finding in the GKE security posture dashboard.