About the security posture dashboard


This page provides an overview of the security posture dashboard in the Google Cloud console, which provides you with opinionated, actionable recommendations to improve your security posture. To explore the dashboard yourself, go to the Security Posture page in the Google Cloud console.

When to use the security posture dashboard

You should use the security posture dashboard if you're a cluster administrator or a security administrator who wants to automate detection and reporting of common security concerns across multiple clusters and workloads, with minimal intrusion and disruption to your running applications. The security posture dashboard integrates with products such as Cloud Logging, Policy Controller, and Binary Authorization to improve your visibility into your security posture.

If you use VPC Service Controls, you can also update your perimeters to protect the security posture dashboard by adding containersecurity.googleapis.com to the list of services.

The security posture dashboard doesn't change any of our responsibilities or your responsibilities under the shared responsibility model. You're still responsible for protecting your workloads.

Usage as part of a broad security strategy

The security posture dashboard provides insights about your workload security posture at the runtime phase of the software delivery lifecycle. To gain comprehensive coverage of your applications throughout the lifecycle from source control to maintenance, we recommend that you use the dashboard with other security tooling.

GKE offers the following tooling to monitor security and compliance in the Google Cloud console:

  • The security posture dashboard, available in the GKE Standard tier and the GKE Enterprise tier.
  • The GKE Compliance dashboard, available in the GKE Enterprise tier. For details, see About the GKE Compliance dashboard.

For more details about other available tooling and for best practices to safeguard your applications from end to end, see Protect your software supply chain.

We also strongly recommend that you implement as many recommendations as possible from Harden your cluster security.

How the security posture dashboard works

To use the security posture dashboard, enable the Container Security API in your project. The dashboard shows you insights from capabilities that are built into GKE and from certain Google Cloud security products running in your project.

Cluster-specific feature enablement

The GKE-specific capabilities in the security posture dashboard are categorized as follows:

If you use GKE Enterprise, some of these features are enabled by default in new clusters. The following table describes the cluster-specific features:

Feature name Availability Included capabilities
Kubernetes security posture - standard tier

Requires GKE version 1.27 or later.

  • GKE Enterprise edition: Enabled by default in all new clusters
  • GKE Standard edition: Enabled by default in all new clusters
Kubernetes security posture - advanced tier (Preview) Not automatically enabled in any version or mode of operation. Requires GKE Enterprise edition.
Workload vulnerability scanning - standard tier
  • GKE Enterprise edition: Enabled by default in all new clusters running version 1.27 and later
  • GKE Standard edition: Enabled by default in all new Autopilot mode clusters running version 1.27 and later. Disabled by default in all new Standard mode clusters.
Workload vulnerability scanning - advanced vulnerability insights
  • GKE Enterprise edition: Enabled by default in all new clusters running version 1.27 and later
  • GKE Standard edition: Disabled by default in all new clusters.

You can enable these features for standalone GKE clusters or fleet member clusters. The security posture dashboard lets you observe all your clusters simultaneously, including all fleet members in your fleet host project.

Cross-product features

The security posture dashboard can show you insights from other Google Cloud security offerings that are running in your project. This provides an overview of the security status of a single fleet or the clusters in a specific project.

Name Description How to enable
Supply chain concerns - Binary Authorization (Preview)

Checks for the following issues with running container images:

  • Images that use the latest tag, either implicitly or explicitly
  • Images (deployed by digest) that were uploaded to Artifact Registry or Container Registry (Deprecated) more than 30 days ago

If you use images in Artifact Registry repositories that belong to a different project, let Binary Authorization read those images in the artifact project by granting the relevant IAM role to the service agent. For instructions, see Grant roles using the gcloud CLI.

Enable the Binary Authorization API in your project. For instructions, see Enable the Binary Authorization service.

Integration with Security Command Center

If you use the Security Command Center Standard tier or Premium tier in your organization or project, you'll see security posture dashboard findings in Security Command Center. For more details about the types of Security Command Center findings that you'll see, refer to Security sources.

Benefits of the security posture dashboard

The security posture dashboard is a foundational security measure that you can enable for any eligible GKE cluster. Google Cloud recommends using the security posture dashboard for all your clusters for the following reasons:

  • Minimal disruptions: Features don't interfere with or disrupt running workloads.
  • Actionable recommendations: When available, the security posture dashboard provides action items to fix discovered concerns. These actions include commands that you can run, examples of configuration changes to make, and advice about what to do to mitigate vulnerabilities.
  • Visualization: The security posture dashboard provides a high-level visualization of concerns affecting clusters across your project, and includes charts and graphs to show the progress you've made and the potential impact of each concern.
  • Opinionated results: GKE assigns a severity rating to discovered concerns based on the expertise of our security teams and industry standards.
  • Auditable event logs: GKE adds all discovered concerns to Logging for better reportability and observability.
  • Fleet observability: If you've registered GKE clusters to a fleet, the dashboard lets you observe all of your project's clusters, including fleet member clusters and any standalone GKE clusters in the project.

GKE security posture dashboard pricing

The pricing for the capabilities of the security posture dashboard is as follows, applicable to standalone GKE clusters and fleet GKE clusters:

GKE security posture dashboard pricing
Workload configuration auditing No extra charge
Security bulletin surfacing No extra charge
GKE threat detection (Preview) Included in the cost of GKE Enterprise. For details, in the GKE pricing page, see Enterprise edition.
Container OS vulnerability scanning No extra charge
Advanced vulnerability insights

Uses Artifact Analysis pricing.

For details, on the Artifact Analysis pricing page, see Advanced vulnerability insights.

Supply chain - Binary Authorization (Preview) No extra charge for security posture dashboard concerns. However, using other Binary Authorization features like enforcement is separate to the dashboard functionality, and is subject to Binary Authorization for GKE pricing.

Entries that are added to Cloud Logging use Cloud Logging pricing. However, depending on the scale of your environment and the number of concerns discovered, you might not exceed the free ingestion and storage allotments for Logging. For details, see Logging pricing.

Manage fleet security posture

If you use fleets with Google Kubernetes Engine (GKE) Enterprise edition, you can configure GKE security posture features at the fleet level using the gcloud CLI. GKE clusters that you register as fleet members during cluster creation automatically inherit the security posture configuration. Clusters that were already fleet members before you changed the security posture configuration don't inherit the new configuration. This inherited configuration overrides the default settings that GKE applies to new clusters.

Enabling GKE Enterprise displays compliance auditing results in the security posture dashboard. Compliance auditing compares your clusters and workloads with industry best practices like the Pod Security Standards. For more information, see Policy Controller bundles.

To learn how to change your fleet-level security posture configuration, see Configure GKE security posture dashboard features at fleet-level.

About the Security Posture page

The Security Posture page in the Google Cloud console has the following tabs:

  • Dashboard: a high-level representation of the results of your scans. Includes charts and feature-specific information.
  • Concerns: a detailed, filterable view of any concerns discovered by GKE across your clusters and workloads. You can select individual concerns for details and mitigation options.
  • Settings: manage the security posture feature configuration for individual clusters or for fleets.

Dashboard

The Dashboard tab provides a visual representation of the results of various GKE security posture scans and information from other Google Cloud security products that are enabled in your project. For details about the available scanning capabilities and other supported security products, see How the security posture dashboard works in this document.

If you use fleets with GKE Enterprise, the dashboard also displays any discovered concerns for clusters including clusters in the project's fleet and standalone clusters. To switch the dashboard to view the posture of a specific fleet, select the host project for that fleet from the project selector drop-down menu in the Google Cloud console. If the selected project has the Container Security API enabled, the dashboard shows results for all member clusters of that project's fleet.

Concerns

The Concerns tab lists active security concerns that GKE discovers when scanning your clusters and workloads. This page only displays concerns for the security posture features described in Cluster-specific feature enablement in this document. If you use fleets with GKE Enterprise, you can see concerns for fleet member clusters and for standalone GKE clusters that the selected project owns.

Severity ratings

Where applicable, GKE assigns a severity rating to discovered concerns. You can use these ratings to determine the urgency with which you need to resolve the finding. GKE uses the following severity ratings, which are based on the CVSS Qualitative Severity Rating Scale:

  • Critical: Act immediately. An attack will lead to an incident.
  • High: Act promptly. An attack will very likely lead to an incident.
  • Medium: Act soon. An attack will likely lead to an incident.
  • Low: Act eventually. An attack could lead to an incident.

The precise speed of your response to concerns depends on your organization's threat model and risk tolerance. The severity ratings are a qualitative guideline to help you to develop a thorough incident response plan.

Concerns table

The Concerns table shows all the concerns detected by GKE. You can change the default view to group results by the type of concern, Kubernetes namespace, or by the affected workloads. You can use the filter pane to filter the results by severity rating, type of concern, Google Cloud location, and cluster name. To view details about a specific concern, click the name of that concern.

Concern details pane

When you click a concern in the Concerns table, the concern details pane opens. This pane provides a detailed description of the concern, and relevant information such as affected OS versions for vulnerabilities, CVE links, or risks associated with a specific configuration concern. The details pane provides a recommended action if applicable. For example, a workload that sets runAsNonRoot: false would return the recommended change you need to make to the Pod specification to mitigate the concern.

The Affected resources tab in the concern details pane shows a list of workloads in your enrolled clusters that are affected by that concern.

Settings

The Settings tab lets you configure cluster-specific security posture features, like workload vulnerability scanning or workload configuration auditing, on eligible GKE clusters in your project or fleet. You can view the enablement status of specific features for each cluster and change that configuration for eligible clusters. If you use fleets with GKE Enterprise, you can also see whether your fleet member clusters have the same settings as the fleet-level configuration.

Example workflow

This section is an example of the workflow for a cluster administrator who wants to scan workloads in a cluster for security configuration issues, such as root privileges.

  1. Enroll the cluster in Kubernetes security posture scanning by using the Google Cloud console.
  2. Check the security posture dashboard for scan results, which might take up to 30 minutes to appear.
  3. Click the Concerns tab to open the detailed results.
  4. Select the Configuration concern type filter.
  5. Click a concern in the table.
  6. On the concern details pane, note the recommended configuration change and update the Pod specification with the recommendation.
  7. Apply the updated Pod specification to the cluster.

The next time that the scan runs, the security posture dashboard no longer displays the concern that you fixed.

What's next