This page describes deprecations and removals for various security posture management and compliance posture management features in Google Kubernetes Engine (GKE) and GKE Enterprise. This information applies to you if you use any of the following features in the Google Cloud console:
About the posture management dashboards
GKE provides dashboards in the Google Cloud console to monitor the security posture of your GKE clusters and any compliance violations in your fleet. These dashboards support the following capabilities:
GKE security posture dashboard: monitor the security posture of GKE clusters and workloads. Supports the following features:
Kubernetes security posture - standard tier:
- Workload configuration auditing
- Actionable security bulletin surfacing (Preview)
Kubernetes security posture - advanced tier:
- GKE threat detection (Preview) (GKE Enterprise only)
Workload vulnerability scanning - standard tier
Workload vulnerability scanning - Advanced Vulnerability Insights
Supply chain concerns - Binary Authorization (Preview)
GKE Compliance dashboard (Preview) (GKE Enterprise only): monitor the compliance status of your workloads against industry standards like the CIS Benchmarks for GKE.
Deprecated features
Starting on January 28, 2025, specific posture management capabilities are deprecated. The following table lists the deprecated capabilities with deprecation dates, estimated removal dates, and links to learn more.
| Capability | Deprecation date | Removal date | Learn more |
|---|---|---|---|
| Kubernetes security posture - advanced tier (Preview) | January 28, 2025 | March 31, 2025 | Kubernetes security posture - advanced tier |
| Supply chain concerns - Binary Authorization (Preview) | January 28, 2025 | March 31, 2025 | Supply chain concerns - Binary Authorization |
| GKE Compliance dashboard (Preview) | January 28, 2025 | June 30, 2025 | Compliance dashboard |
| Workload vulnerability scanning | GKE standard edition: July 23, 2024 | GKE standard edition: July 31, 2025 | Workload vulnerability scanning |
What happens when a capability is removed?
After the removal date of a capability, the following changes occur:
- The Google Cloud console no longer generates new results for the capability. For example, GKE doesn't generate new GKE threat detection results after March 31, 2025.
- You can't view existing results in the corresponding posture management dashboard. For example, you can't view existing container OS vulnerability scan results for GKE standard edition clusters after July 31, 2025.
- Security Command Center findings for the capability get the
Inactivestate. Findings are deleted after the Security Command Center data retention period.
The logs for your findings remain in the _Default log bucket in
Cloud Logging for the
log retention period.
What you should do
This section describes any available alternatives that you can use to get similar monitoring capabilities for your clusters and workloads.
Workload vulnerability scanning
Workload vulnerability scanning is available in the following tiers:
- Standard tier: scan the container operating system (OS) for actionable vulnerabilities.
- Advanced Vulnerability Insights: in addition to the standard tier's OS vulnerability scanning, scan container language packages for actionable vulnerabilities.
Both tiers of workload vulnerability scanning are deprecated in the GKE standard edition as of July 23, 2024. Starting on July 31, 2025, only GKE Enterprise clusters can use workload vulnerability scanning.
To learn more, see Workload vulnerability scanning removal in GKE Standard edition.
Kubernetes security posture - advanced tier
The advanced tier of the Kubernetes security posture capability displays findings from GKE threat detection (Preview). GKE threat detection evaluates your audit logs against a set of rules for cluster and workload threats. Active threats are displayed in the Google Cloud console with information about how to remediate the threat.
GKE threat detection is powered by Security Command Center Event Threat Detection. To continue getting information about active threats after March 31, 2025, do the following:
- Activate either the Premium or the Enterprise tier of Security Command Center
- Enable the Event Threat Detection service
- View Event Threat Detection findings
Supply chain concerns - Binary Authorization
If you enable the Binary Authorization API in a project, the GKE security posture dashboard displays results for running container images that meet any of the following criteria:
- Images that use the
latesttag implicitly or explicitly. - Images by digest that were uploaded to Artifact Registry or Container Registry (Deprecated) more than 30 days ago.
To continue monitoring your running containers for these issues after March 31, 2025, do the following:
- Set up Binary Authorization in your cluster.
- Enable the continuous validation image freshness check (Preview).
Setting up Binary Authorization in a cluster prevents you from deploying Pods that
don't specify a container image digest for every container. This ensures that
workloads don't use the :latest tag or omit a tag.
GKE Compliance dashboard
The GKE Compliance dashboard is a GKE Enterprise feature that lets you scan your clusters against predefined industry standards like the CIS Benchmarks for GKE.
Starting on June 30, 2025, the GKE Compliance dashboard no longer displays results for compliance violations in eligible clusters. You can't enable compliance auditing for new or existing clusters.
To get similar results for compliance violations, do the following:
- Activate either the Premium or the Enterprise tier of Security Command Center
- Assess and report compliance with security standards