This page provides an overview of the security posture dashboard in the Google Cloud console, which provides you with opinionated, actionable recommendations to improve your security posture. To explore the dashboard yourself, go to the Security Posture page in the Google Cloud console.
When to use the security posture dashboard
You should use the security posture dashboard if you're a cluster administrator or a security administrator who wants to automate detection and reporting of common security concerns across multiple clusters and workloads, with minimal intrusion and disruption to your running applications. The security posture dashboard integrates with products such as Cloud Logging, Policy Controller, and Binary Authorization to improve your visibility into your security posture.
If you use VPC Service Controls, you can also
update your perimeters
to protect the security posture dashboard by adding
containersecurity.googleapis.com to the list of services.
The security posture dashboard doesn't change any of our responsibilities or your responsibilities under the shared responsibility model. You're still responsible for protecting your workloads.
Usage as part of a broad security strategy
The security posture dashboard provides insights about your workload security posture at the runtime phase of the software delivery lifecycle. To gain comprehensive coverage of your applications throughout the lifecycle from source control to maintenance, we recommend that you use the dashboard with other security tooling. For more details about the available tooling and for best practices to safeguard your applications from end to end, see Protect your software supply chain.
We also strongly recommend that you implement as many recommendations as possible from Harden your cluster security.
How the security posture dashboard works
To use the security posture dashboard, enable the Container Security API in your project. The dashboard shows you insights from capabilities that are built into GKE and from certain Google Cloud security products running in your project.
Cluster-specific feature enablement
The GKE-specific capabilities in the security posture dashboard are categorized as follows:
- Kubernetes security posture: The security posture of Kubernetes objects and resources in the cluster, such as Pod specifications. For details, see About Kubernetes security posture scanning.
- Workload vulnerability scanning: The security posture of the container operating system and application language packages. For details, see About workload vulnerability scanning.
| Type | How to enable | Included features |
|---|---|---|
| Kubernetes security posture - standard tier | Automatically enabled in new Autopilot and Standard clusters running GKE version 1.27 and later. | |
| Kubernetes security posture - advanced tier (Preview) | Not automatically enabled in any version or mode of operation. Only available to GKE Enterprise users. | |
| Workload vulnerability scanning - standard tier | Autopilot: Available to enable in version 1.23.5-gke.700 and later. Automatically enabled when you create new clusters running version 1.27 and later. Standard: Available to enable in version 1.23.5-gke.700 and later. Not automatically enabled in any version. |
|
| Workload vulnerability scanning - advanced vulnerability insights | Available to enable in version 1.27 and later. Not automatically enabled in any version or mode of operation. |
You can enable these features for standalone GKE clusters or fleet member clusters. The security posture dashboard lets you observe all your clusters simultaneously, including all fleet members in your fleet host project.
Cross-product features
The security posture dashboard can show you insights from other Google Cloud security offerings that are running in your project. This provides an overview of the security status of a single fleet or the clusters in a specific project.
| Name | Description | How to enable |
|---|---|---|
| Compliance concerns - Policy Controller | Evaluate your workloads against predefined or custom policy bundles. For example, see whether your workloads comply with the Kubernetes Pod Security Standards. | Enable GKE Enterprise. |
| Supply chain concerns - Binary Authorization (Preview) | Checks for the following issues with running container images:
If you use images in Artifact Registry repositories that belong to a different project, let Binary Authorization read those images in the artifact project by granting the relevant IAM role to the service agent. For instructions, see Grant roles using the gcloud CLI. |
Enable the Binary Authorization API in your project. For instructions, see Enable the Binary Authorization service. |
Integration with Security Command Center
If you use the Security Command Center Standard tier or Premium tier in your organization or project, you'll see security posture dashboard findings in Security Command Center. For more details about the types of Security Command Center findings that you'll see, refer to Security sources.
Benefits of the security posture dashboard
The security posture dashboard is a foundational security measure that you can enable for any eligible GKE cluster. Google Cloud recommends using the security posture dashboard for all your clusters for the following reasons:
- Minimal disruptions: Features don't interfere with or disrupt running workloads.
- Actionable recommendations: When available, the security posture dashboard provides action items to fix discovered concerns. These actions include commands that you can run, examples of configuration changes to make, and advice about what to do to mitigate vulnerabilities.
- Visualization: The security posture dashboard provides a high-level visualization of concerns affecting clusters across your project, and includes charts and graphs to show the progress you've made and the potential impact of each concern.
- Opinionated results: GKE assigns a severity rating to discovered concerns based on the expertise of our security teams and industry standards.
- Auditable event logs: GKE adds all discovered concerns to Logging for better reportability and observability.
- Fleet observability: If you've registered GKE clusters to a fleet, the dashboard lets you observe all of your project's clusters, including fleet member clusters and any standalone GKE clusters in the project.
GKE security posture dashboard pricing
The pricing for the capabilities of the security posture dashboard is as follows, applicable to standalone GKE clusters and fleet GKE clusters:
| GKE security posture dashboard pricing | |
|---|---|
| Workload configuration auditing | No extra charge |
| Security bulletin surfacing | No extra charge |
| GKE threat detection (Preview) | Included in the cost of GKE Enterprise. For details, in the GKE pricing page, see Enterprise edition. |
| Container OS vulnerability scanning | No extra charge |
| Advanced vulnerability insights | Uses Artifact Analysis pricing. For details, on the Artifact Analysis pricing page, see Advanced vulnerability insights. |
| Compliance - Policy Controller | See GKE Enterprise pricing |
| Supply chain - Binary Authorization (Preview) | No extra charge for security posture dashboard concerns. However, using other Binary Authorization features like enforcement is separate to the dashboard functionality, and is subject to Binary Authorization for GKE pricing. |
Entries that are added to Cloud Logging use Cloud Logging pricing. However, depending on the scale of your environment and the number of concerns discovered, you might not exceed the free ingestion and storage allotments for Logging. For details, see Logging pricing.
Manage fleet security posture
If you use fleets with Google Kubernetes Engine (GKE) Enterprise edition, you can configure GKE security posture features at the fleet level using the gcloud CLI. GKE clusters that you register as fleet members during cluster creation automatically inherit the security posture configuration. Clusters that were already fleet members before you changed the security posture configuration don't inherit the new configuration.
Enabling GKE Enterprise displays compliance auditing results in the security posture dashboard. Compliance auditing compares your clusters and workloads with industry best practices like the Pod Security Standards. For more information, see Policy Controller bundles.
To learn how to change your fleet-level security posture configuration, see Configure GKE security posture dashboard features at fleet-level.
About the Security Posture page
The Security Posture page in the Google Cloud console has the following tabs:
- Dashboard: a high-level representation of the results of your scans. Includes charts and feature-specific information.
- Concerns: a detailed, filterable view of any concerns discovered by GKE across your clusters and workloads. You can select individual concerns for details and mitigation options.
- Settings: manage the security posture feature configuration for individual clusters or for fleets.
Dashboard
The Dashboard tab provides a visual representation of the results of various GKE security posture scans and information from other Google Cloud security products that are enabled in your project. For details about the available scanning capabilities and other supported security products, see How the security posture dashboard works in this document.
If you use fleets with GKE Enterprise, the dashboard also displays any discovered concerns for clusters including clusters in the project's fleet and standalone clusters. To switch the dashboard to view the posture of a specific fleet, select the host project for that fleet from the project selector drop-down menu in the Google Cloud console. If the selected project has the Container Security API enabled, the dashboard shows results for all member clusters of that project's fleet.
Concerns
The Concerns tab lists active security concerns that GKE discovers when scanning your clusters and workloads. This page only displays concerns for the security posture features described in Cluster-specific feature enablement in this document. If you use fleets with GKE Enterprise, you can see concerns for fleet member clusters and for standalone GKE clusters that the selected project owns.
Severity ratings
Where applicable, GKE assigns a severity rating to discovered concerns. You can use these ratings to determine the urgency with which you need to resolve the finding. GKE uses the following severity ratings, which are based on the CVSS Qualitative Severity Rating Scale:
- Critical: Act immediately. An attack will lead to an incident.
- High: Act promptly. An attack will very likely lead to an incident.
- Medium: Act soon. An attack will likely lead to an incident.
- Low: Act eventually. An attack could lead to an incident.
The precise speed of your response to concerns depends on your organization's threat model and risk tolerance. The severity ratings are a qualitative guideline to help you to develop a thorough incident response plan.
Concerns table
The Concerns table shows all the concerns detected by GKE. You can change the default view to group results by the type of concern, Kubernetes namespace, or by the affected workloads. You can use the filter pane to filter the results by severity rating, type of concern, Google Cloud location, and cluster name. To view details about a specific concern, click the name of that concern.
Concern details pane
When you click a concern in the Concerns table, the concern details pane
opens. This pane provides a detailed description of the concern, and relevant
information such as affected OS versions for vulnerabilities, CVE links, or
risks associated with a specific configuration concern. The details pane
provides a recommended action if applicable. For example, a workload that sets
runAsNonRoot: false would return the recommended change you need to make to
the Pod specification to mitigate the concern.
The Affected resources tab in the concern details pane shows a list of workloads in your enrolled clusters that are affected by that concern.
Settings
The Settings tab lets you configure cluster-specific security posture features, like workload vulnerability scanning or workload configuration auditing, on eligible GKE clusters in your project or fleet. You can view the enablement status of specific features for each cluster and change that configuration for eligible clusters. If you use fleets with GKE Enterprise, you can also see whether your fleet member clusters have the same settings as the fleet-level configuration.
Example workflow
This section is an example of the workflow for a cluster administrator who wants to scan workloads in a cluster for security configuration issues, such as root privileges.
- Enroll the cluster in Kubernetes security posture scanning by using the Google Cloud console.
- Check the security posture dashboard for scan results, which might take up to 15 minutes to appear.
- Click the Concerns tab to open the detailed results.
- Select the Configuration concern type filter.
- Click a concern in the table.
- On the concern details pane, note the recommended configuration change and update the Pod specification with the recommendation.
- Apply the updated Pod specification to the cluster.
The next time that the scan runs, the security posture dashboard no longer displays the concern that you fixed.
What's next
- Learn more about workload configuration auditing
- Learn how to enable automatic scanning of your workloads for configuration concerns
- Learn how to enable automatic scanning of your container images for known vulnerabilities
- Learn how to enable GKE threat detection (Preview)