The Google Kubernetes Engine (GKE) security posture dashboard provides you with opinionated, actionable recommendations to improve your clusters' security posture. If you have enabled GKE Enterprise, you can enable security posture as a fleet-default configuration. This page shows you how to configure these fleet-defaults.
You can create fleet-level defaults for the following security posture dashboard settings:
- Kubernetes security posture scanning
standard
tier: audit the clusters and workloads in your fleet for common security configuration concerns. - Workload vulnerability scanning, available in the following tiers:
- Workload OS vulnerability scanning (
standard
tier): scan the container OS for known vulnerabilities. - Advanced vulnerability insights (
enterprise
tier): scan the container OS and language packages for known vulnerabilities.
- Workload OS vulnerability scanning (
To learn how to configure these settings for individual clusters, see the following resources:
- Automatically audit workloads for configuration issues
- Automatically scan workloads for known vulnerabilities
Configure fleet-level defaults
This section describes how to configure security posture dashboard features as fleet-level defaults. Any new clusters that you register to a fleet during cluster creation have your specified security posture features enabled. The fleet-level default settings that you configure take priority over any default GKE security posture settings. To view the default settings that apply to your edition of GKE, see the Cluster-specific features table.
To configure fleet-level defaults for security posture, complete the following steps:
Console
In the Google Cloud console, go to the Feature Manager page.
In the Security Posture pane, click Configure.
Review your fleet-level settings. All new clusters you register to the fleet inherit these settings.
Optional: To change the default settings, click Customize fleet settings. In the Customize fleet default configuration dialog that appears, do the following:
- For Configuration audit, choose if configuration auditing should be enabled or disabled.
- For Vulnerability scanning, select the level of vulnerability scanning that you want; Disabled, Basic, or Advanced (recommended).
- Click Save.
If you later disable fleet-level configuration for these features, your current workloads in existing member clusters are still scanned and you can see the security concerns on the security posture dashboard. However, any new clusters you create in that fleet won't be scanned for concerns, unless you enable the security posture features on them individually.
To apply the setting to new clusters, click Configure.
In the confirmation dialog, click Confirm.
Optional: Sync existing clusters to the default settings:
- In the Clusters in the fleet list, select the clusters that you want to sync.
- Click Sync to fleet settings and click Confirm in the confirmation dialog that appears. This operation can take a few minutes to complete.
gcloud
Make sure that you have gcloud CLI version 455.0.0 or later.
Configure defaults for a new fleet
You can create an empty fleet with the security posture dashboard features you want enabled.
To create a fleet with workload configuration auditing enabled, run the following command:
gcloud container fleet create --security-posture standard
To create a fleet with workload vulnerability scanning enabled, run the following command:
gcloud container fleet create --workload-vulnerability-scanning VULNERABILITY_SCANNING_TIER
Replace
VULNERABILITY_SCANNING_TIER
with one of the following values:standard
: scan the container OS for known vulnerabilities.enterprise
: scan the container OS and language packages for known vulnerabilities.
Configure defaults for an existing fleet
To enable workload configuration auditing on an existing fleet, run the following command:
gcloud container fleet update --security-posture standard
To enable workload vulnerability scanning on an existing fleet, run the following command:
gcloud container fleet update --workload-vulnerability-scanning VULNERABILITY_SCANNING_TIER
Replace
VULNERABILITY_SCANNING_TIER
with one of the following values:standard
: scan the container OS for known vulnerabilities.enterprise
: scan the container OS and language packages for known vulnerabilities.
To change workload vulnerability scanning tier on an existing fleet:
Check the existing security posture dashboard settings on a fleet:
gcloud container fleet describe
Use the
update
command as described earlier with the workload scanning tier you want to change to:gcloud container fleet update --workload-vulnerability-scanning VULNERABILITY_SCANNING_TIER
Disable security posture dashboard features at fleet level
To disable workload configuration auditing, run the following command:
gcloud container fleet update --security-posture disabled
To disable workload vulnerability scanning, run the following command:
gcloud container fleet update --workload-vulnerability-scanning disabled
If you disable fleet-level configuration for these features, your current workloads in existing member clusters are still scanned and you can see the security concerns on the security posture dashboard. However, any new clusters you create in that fleet won't be scanned for concerns, unless you enable the security posture features on them individually.
What's next
- Learn about the range of Google Cloud features to secure your clusters and workloads.
- Learn how workload configuration auditing detects common security configuration concerns.
- Learn how workload vulnerability scanning scans your container OS and application language packages for security concerns.