This document describes how cluster control plane components are secured in Google Kubernetes Engine (GKE).
Under the Shared Responsibility Model, Google manages the GKE control plane components for you. The control plane includes the Kubernetes API server, etcd, and a number of controllers. Google is responsible for securing the control plane, though you might be able to configure certain options based on your requirements. You are responsible for securing your nodes, containers, and Pods.
Hardened operating system
GKE control plane components run on Container-Optimized OS, which is a security-hardened operating system designed by Google. For a detailed description of the security features built into Container-Optimized OS, see the Container-Optimized OS security overview.
Architecture and isolation
In a GKE cluster, the control plane components run on Compute Engine instances owned by Google, in a Google-managed project. Each instance runs these components for only one customer's cluster.
Authentication to the Kubernetes API server and etcd is done the same way it's done for other Google Cloud services. Application-layer Transport Security (ALTS) protects these communications.
Control plane access to your project
When using GKE, your project will contain a
Google-managed service account
named the Kubernetes Engine Service Agent, with an email address that uses the
following format, where
PROJET_NUMBER is your
This service account is used by your GKE control plane to actuate
cluster resources such as nodes, disks, and load balancer resources on on your
behalf. The service account is automatically granted the Kubernetes Engine
Service Agent role (
roles/container.serviceAgent) on your project.
Administrative access to the cluster
SSH sessions by Google Site Reliability Engineers are audit logged through Google's internal audit infrastructure, which is available for forensics and security response. For more information, see Administrative access in the Google Security Whitepaper.
In Google Cloud, customer content is encrypted at the filesystem layer by default. So disks that host etcd storage for GKE clusters are encrypted at the filesystem layer. For more information, see Encryption at rest.
etcd listens on two TCP ports. Port 2379 is for etcd clients, like the Kubernetes API server. Port 2379 is bound to the local loopback network interface, so it is only accessible from the VM that is running the Kubernetes API server. Port 2380 is for server-to-server communication. Traffic on port 2380 is encrypted by mutual TLS. That is, each server must prove its identity to the other. In a regional cluster, communication between etcd servers to establish a quorum is encrypted by mutual TLS.
Certificate authority and cluster trust
Each cluster has its own root certificate authority (CA). An internal Google service manages root keys for this CA. Each cluster also has its own CA for etcd. Root keys for the etcd CA are distributed to the metadata of the VMs that run the Kubernetes API server. Communication between nodes and the Kubernetes API server is protected by TLS. For more information, see Cluster trust.
Vulnerability and patch management
GKE adheres to Google standards for testing, qualifying, and gradually rolling out changes to the control plane. This minimizes the risk of a control plane component becoming unavailable. GKE adheres to a service level agreement that defines many aspects of availability.
GKE control plane components are managed by a team of Google site reliability engineers, and are kept up to date with the latest security patches. This includes patches to the host operating system, Kubernetes components, and containers running on the control plane VMs.
GKE applies new kernel, OS, and Kubernetes-level fixes promptly to control plane VMs. When these contain fixes for known vulnerabilities, additional information is available in the GKE security bulletins. GKE scans all Kubernetes system and GKE-specific containers for vulnerabilities using Container Registry vulnerability scanning, and keeps the containers patched, benefitting the whole Kubernetes ecosystem.
Google engineers participate in finding, fixing, and disclosing Kubernetes security bugs. And Google pays external security researchers, through the Google-wide vulnerability reward program, to look for security bugs. In some cases, such as the dnsmasq vulnerability in October 2017, GKE has been able to patch all running clusters before the vulnerability became public.
What you can see
The security features discussed previously in this topic are managed by Google. This section and the following section discuss security features that you can monitor and configure.
Audit logging is enabled by default for clusters created since the release of 1.8.3. This provides a detailed record, available in Google Cloud's operations suite, of calls made to the Kubernetes API server. You can view the log entries on the Logs page in the Google Cloud console. You can also use BigQuery to view and analyze these logs.
What you can configure
By default, the Kubernetes API server uses a public IP address. You can protect the Kubernetes API server by using authorized networks and private clusters, which allow you to assign a private IP address to the Kubernetes API server and disable access on the public IP address.
You can handle cluster authentication in GKE by using IAM as the identity provider. For enhanced authentication security, basic authentication and client certificate issuance are disabled by default for clusters created with GKE 1.12 and later.
You can enhance the security of your control plane by doing credential rotation on a regular basis. When credential rotation is initiated, the TLS certificates and cluster certificate authority are rotated automatically. GKE also rotates the IP address of your Kubernetes API server. For more information, see Role-Based Access Control (RBAC) and Credential rotation.