This page provides an overview of the security posture dashboard, a set of features in the Google Cloud console that scan your Google Kubernetes Engine (GKE) clusters and workloads to provide you with opinionated, actionable recommendations to improve your security posture. To explore the dashboard yourself, go to the Security Posture page in the Google Cloud console.
When to use the security posture dashboard
You should use the security posture dashboard if you're a cluster administrator or a security administrator who wants to automate detection and reporting of common security concerns across multiple clusters and workloads, with minimal intrusion and disruption to your running applications.
The security posture dashboard integrates with products such as Cloud Logging to improve your visibility into your security posture.
The security posture dashboard doesn't change any of Google's or your responsibilities under the shared responsibility model. You are still responsible for protecting your workloads.
How the security posture dashboard works
You enroll eligible clusters in one or more Security Posture features. GKE scans those clusters and running workloads against Google's standards and industry best practices. The security posture dashboard in the Google Cloud console displays the scan results and provides actionable recommendations for concerns, where applicable. GKE also adds entries to Cloud Logging.
The following features are available in the security posture dashboard:
- Automatic scanning of workloads for configuration concerns
- Automatic scanning of container images for known vulnerabilities
Why use the security posture dashboard
The security posture dashboard is a foundational security measure that you can enable for any eligible GKE cluster. Google Cloud recommends using the security posture dashboard in all your clusters for the following reasons:
- Minimal disruptions: Features do not interfere with or disrupt running workloads.
- Actionable recommendations: When available, the security posture dashboard provides action items to fix discovered concerns. These actions include commands that you can run, examples of configuration changes to make, and advice about what to do to mitigate vulnerabilities.
- Visualization: The security posture dashboard provides a high-level visualization of concerns affecting clusters across your project, and includes charts and graphs to show the progress you've made and the potential impact of each concern.
- Opinionated results: GKE assigns a severity rating to discovered concerns based on the expertise of Google's security teams and industry standards.
- Auditable event logs: GKE adds all discovered concerns to Logging for better reportability and observability.
The scanning capabilities and the dashboard in the Google Cloud console are offered at no charge. Entries added to Cloud Logging use Cloud Logging pricing.
About the Security Posture page
The Security Posture page in the Google Cloud console has the following tabs:
- Dashboard: a high-level representation of the results of your scans. Includes charts and feature-specific information.
- Concerns: a detailed, filterable view of any concerns discovered by GKE across your clusters and workloads. You can select individual concerns for details and mitigation options.
The dashboard view provides settings for the Security Posture capabilities and visual representations of the results of automatic scanning across all your configured clusters. Available sections include the following:
- Severity: Proportion of discovered concerns that have a specific severity rating.
- Clusters: Proportion of enrolled clusters that have at least one discovered concern.
- Workloads: Proportion of running workloads that have at least one discovered concern.
- Configuration concerns by severity: Discovered configuration concerns and the assigned severity ratings.
- Vulnerability concerns by severity: Discovered vulnerability concerns and the assigned severity ratings.
- GKE Security Posture settings: Manage your clusters' enrollment in security posture monitoring features.
The Concerns view provides a list of all the concerns discovered in scans across your enrolled clusters and workloads. You can filter this list by severity rating, concern type, cluster name, and Google Cloud region or zone.
Where applicable, GKE assigns a severity rating to discovered concerns. You can use these ratings to determine the urgency with which you need to action the finding. GKE uses the following severity ratings, which are based on the CVSS Qualitative Severity Rating Scale:
- Critical: Act immediately. An attack will lead to an incident.
- High: Act promptly. An attack will very likely lead to an incident.
- Medium: Act soon. An attack will likely lead to an incident.
- Low: Act eventually. An attack could lead to an incident.
The precise speed of your response to concerns depends on your organization's threat model and risk tolerance. The severity ratings are a qualitative guideline to inform the development of a thorough incident response plan.
The Concerns table shows all the concerns detected by GKE. You can change the default grouping to group results by detected concern, Kubernetes namespace, or by the affected workloads. You can use the filter pane to filter the results by severity rating, type of concern, Google Cloud location, and cluster name. To view details about a specific concern, click the name of that concern.
Concern details pane
When you click on a concern in the Results table, the concern details pane
opens. This pane provides a detailed description of the concern, and relevant
information such as affected OS versions for vulnerabilities, CVE links, or
risks associated with a specific configuration concern. The details pane
provides a recommended action if applicable. For example, a workload that sets
runAsNonRoot: false would return the recommended change you need to make to
the Pod specification to mitigate the concern.
The Affected workloads tab in the concern details pane shows a list of workloads in your enrolled clusters that are affected by that concern.
This section is an example of the workflow for a cluster admin who wants to scan workloads in a cluster for security configuration issues, such as root privileges.
- Enroll the cluster in workload vulnerability scanning using the Google Cloud console.
- Check the security posture dashboard for scan results, which might take up to 15 minutes to appear.
- Click the Concerns tab to open the detailed results.
- Select the Configuration concern type filter.
- Click a concern in the table.
- On the concern details pane, note the recommended configuration change and update the Pod specification with the recommendation.
- Apply the updated Pod specification to the cluster.
The next time that the scan runs, the security posture dashboard no longer displays the concern that you fixed.
- Learn more about workload configuration scanning.
- Learn how to enable automatic scanning of your workloads for configuration concerns.
- Learn how to enable automatic scanning of your container images for known vulnerabilities.