Configure GKE security posture dashboard features at fleet level

Autopilot Standard

The Google Kubernetes Engine (GKE) security posture dashboard provides you with opinionated, actionable recommendations to improve your clusters' security posture. If you have enabled GKE Enterprise, you can enable security posture as a fleet-default configuration. This page shows you how to configure these fleet-defaults.

You can create fleet-level defaults for the following security posture dashboard settings:

Kubernetes security posture scanning standard tier: audit the clusters and workloads in your fleet for common security configuration concerns.
Workload vulnerability scanning, available in the following tiers:
- Workload OS vulnerability scanning (standard tier): scan the container OS for known vulnerabilities.
- Advanced vulnerability insights (enterprise tier): scan the container OS and language packages for known vulnerabilities.

To learn how to configure these settings for individual clusters, see the following resources:

Configure fleet-level defaults

This section describes how to configure security posture dashboard features as fleet-level defaults. Any new clusters that you register to a fleet during cluster creation have your specified security posture features enabled. The fleet-level default settings that you configure take priority over any default GKE security posture settings. To view the default settings that apply to your edition of GKE, see the Cluster-specific features table.

To configure fleet-level defaults for security posture, complete the following steps:

Console

In the Google Cloud console, go to the Feature Manager page.

Go to Feature Manager
In the Security Posture pane, click Configure.
Review your fleet-level settings. All new clusters you register to the fleet inherit these settings.
Optional: To change the default settings, click Customize fleet settings. In the Customize fleet default configuration dialog that appears, do the following:
1. For Configuration audit, choose if configuration auditing should be enabled or disabled.
2. For Vulnerability scanning, select the level of vulnerability scanning that you want; Disabled, Basic, or Advanced (recommended).
3. Click Save.
If you later disable fleet-level configuration for these features, your current workloads in existing member clusters are still scanned and you can see the security concerns on the security posture dashboard. However, any new clusters you create in that fleet won't be scanned for concerns, unless you enable the security posture features on them individually.
To apply the setting to new clusters, click Configure.
In the confirmation dialog, click Confirm.
Optional: Sync existing clusters to the default settings:
1. In the Clusters in the fleet list, select the clusters that you want to sync.
2. Click Sync to fleet settings and click Confirm in the confirmation dialog that appears. This operation can take a few minutes to complete.

gcloud

Make sure that you have gcloud CLI version 455.0.0 or later.

Configure defaults for a new fleet

You can create an empty fleet with the security posture dashboard features you want enabled.

To create a fleet with workload configuration auditing enabled, run the following command:
```
gcloud container fleet create --security-posture standard
```
To create a fleet with workload vulnerability scanning enabled, run the following command:
```
gcloud container fleet create --workload-vulnerability-scanning VULNERABILITY_SCANNING_TIER
```
Replace VULNERABILITY_SCANNING_TIER with one of the following values:
- standard: scan the container OS for known vulnerabilities.
- enterprise: scan the container OS and language packages for known vulnerabilities.

Configure defaults for an existing fleet

To enable workload configuration auditing on an existing fleet, run the following command:
```
gcloud container fleet update --security-posture standard
```
To enable workload vulnerability scanning on an existing fleet, run the following command:
```
gcloud container fleet update --workload-vulnerability-scanning VULNERABILITY_SCANNING_TIER
```
Replace VULNERABILITY_SCANNING_TIER with one of the following values:
- standard: scan the container OS for known vulnerabilities.
- enterprise: scan the container OS and language packages for known vulnerabilities.
To change workload vulnerability scanning tier on an existing fleet:
1. Check the existing security posture dashboard settings on a fleet:
```
gcloud container fleet describe
```
2. Use the update command as described earlier with the workload scanning tier you want to change to:
```
gcloud container fleet update --workload-vulnerability-scanning VULNERABILITY_SCANNING_TIER
```

Disable security posture dashboard features at fleet level

To disable workload configuration auditing, run the following command:
```
gcloud container fleet update --security-posture disabled
```

To disable workload vulnerability scanning, run the following command:

gcloud container fleet update --workload-vulnerability-scanning disabled

If you disable fleet-level configuration for these features, your current workloads in existing member clusters are still scanned and you can see the security concerns on the security posture dashboard. However, any new clusters you create in that fleet won't be scanned for concerns, unless you enable the security posture features on them individually.

What's next

Learn about the range of Google Cloud features to secure your clusters and workloads.
Learn how workload configuration auditing detects common security configuration concerns.
Learn how workload vulnerability scanning scans your container OS and application language packages for security concerns.