Running a business-critical application on Google Kubernetes Engine (GKE) requires multiple parties to carry different responsibilities. While not an exhaustive list, this topic lists the responsibilities for both Google and the customer.
- Protecting the underlying infrastructure, including hardware, firmware, kernel, OS, storage, network, and more. This includes encrypting data at rest by default, providing additional customer-managed disk encryption, encrypting data in transit, using custom-designed hardware, laying private network cables, protecting data centers from physical access, protecting the bootloader and kernel against modification using Shielded Nodes, and following secure software development practices.
- Hardening and patching the nodes' operating system, such as Container-Optimized OS or Ubuntu. GKE promptly makes any patches to these images available. If you have auto-upgrade enabled, or are using a release channel, these updates are automatically deployed. This is the OS layer underneath your container—it's not the same as the operating system running in your containers.
- Building and operating threat detection for container-specific threats into the kernel with Container Threat Detection (priced separately with Security Command Center).
- Hardening and
Kubernetes node components. All GKE managed components are upgraded
automatically when you upgrade GKE node versions. This includes:
- vTPM-backed trusted bootstrap mechanism for issuing kubelet TLS certificates and auto-rotation of the certificates
- Hardened kubelet configuration following CIS benchmarks
- GKE metadata server for Workload identity
- GKE's native Container Network Interface plugin and Calico for NetworkPolicy
- GKE Kubernetes storage integrations such as the CSI driver
- GKE logging and monitoring agents
- Hardening and patching the control plane. The control plane includes the control plane VM, API server, scheduler, controller manager, cluster CA, TLS certificate issuance and rotation, root-of-trust key material, CA rotation, secrets encryption, IAM authenticator and authorizer, audit logging configuration, etcd, and various other controllers. All of your control plane components run on Google-operated Compute Engine instances. These instances are single tenant, meaning each instance runs the control plane and its components for only one customer.
- Provide Google Cloud integrations for Connect, Identity and Access Management, Cloud Audit Logs, Google Cloud's operations suite, Cloud Key Management Service, Security Command Center, and others.
- Restrict and log Google administrative access to customer clusters for contractual support purposes with Access Transparency.
- Maintain your workloads, including your application code, build files, container images, data, Role-based access control (RBAC)/IAM policy, and containers and pods that you are running.
- Enroll clusters in auto-upgrade (default) or upgrade clusters to supported versions.
- Monitor the cluster and applications and respond to any alerts and incidents.
- Provide Google with environmental details when requested for troubleshooting purposes.
- Read the GKE Security overview.