Configure GKE security posture dashboard features at fleet level


The Google Kubernetes Engine (GKE) security posture dashboard provides you with opinionated, actionable recommendations to improve your clusters' security posture. If you have enabled GKE Enterprise, you can enable security posture as a fleet-default configuration. This page shows you how to configure these fleet-defaults.

You can create fleet-level defaults for the following security posture dashboard settings:

  • Kubernetes security posture scanning standard tier: audit the clusters and workloads in your fleet for common security configuration concerns.
  • Workload vulnerability scanning, available in the following tiers:
    • Workload OS vulnerability scanning (standard tier): scan the container OS for known vulnerabilities.
    • Advanced vulnerability insights (enterprise tier): scan the container OS and language packages for known vulnerabilities.

To learn how to configure these settings for individual clusters, see the following resources:

Configure fleet-level defaults

This section describes how to configure security posture dashboard features as fleet-level defaults. Any new clusters that you register to a fleet during cluster creation have your specified security posture features enabled. The fleet-level default settings that you configure take priority over any default GKE security posture settings. To view the default settings that apply to your edition of GKE, see the Cluster-specific features table.

To configure fleet-level defaults for security posture, complete the following steps:

Console

  1. In the Google Cloud console, go to the Feature Manager page.

    Go to Feature Manager

  2. In the Security Posture pane, click Configure.

  3. Review your fleet-level settings. All new clusters you register to the fleet inherit these settings.

  4. Optional: To change the default settings, click Customize fleet settings. In the Customize fleet default configuration dialog that appears, do the following:

    1. For Configuration audit, choose if configuration auditing should be enabled or disabled.
    2. For Vulnerability scanning, select the level of vulnerability scanning that you want; Disabled, Basic, or Advanced (recommended).
    3. Click Save.

    If you later disable fleet-level configuration for these features, your current workloads in existing member clusters are still scanned and you can see the security concerns on the security posture dashboard. However, any new clusters you create in that fleet won't be scanned for concerns, unless you enable the security posture features on them individually.

  5. To apply the setting to new clusters, click Configure.

  6. In the confirmation dialog, click Confirm.

  7. Optional: Sync existing clusters to the default settings:

    1. In the Clusters in the fleet list, select the clusters that you want to sync.
    2. Click Sync to fleet settings and click Confirm in the confirmation dialog that appears. This operation can take a few minutes to complete.

gcloud

Make sure that you have gcloud CLI version 455.0.0 or later.

Configure defaults for a new fleet

You can create an empty fleet with the security posture dashboard features you want enabled.

  • To create a fleet with workload configuration auditing enabled, run the following command:

    gcloud container fleet create --security-posture standard
    
  • To create a fleet with workload vulnerability scanning enabled, run the following command:

    gcloud container fleet create --workload-vulnerability-scanning VULNERABILITY_SCANNING_TIER
    

    Replace VULNERABILITY_SCANNING_TIER with one of the following values:

    • standard: scan the container OS for known vulnerabilities.
    • enterprise: scan the container OS and language packages for known vulnerabilities.

Configure defaults for an existing fleet

  • To enable workload configuration auditing on an existing fleet, run the following command:

    gcloud container fleet update --security-posture standard
    
  • To enable workload vulnerability scanning on an existing fleet, run the following command:

    gcloud container fleet update --workload-vulnerability-scanning VULNERABILITY_SCANNING_TIER
    

    Replace VULNERABILITY_SCANNING_TIER with one of the following values:

    • standard: scan the container OS for known vulnerabilities.
    • enterprise: scan the container OS and language packages for known vulnerabilities.
  • To change workload vulnerability scanning tier on an existing fleet:

    1. Check the existing security posture dashboard settings on a fleet:

      gcloud container fleet describe
      
    2. Use the update command as described earlier with the workload scanning tier you want to change to:

      gcloud container fleet update --workload-vulnerability-scanning VULNERABILITY_SCANNING_TIER
      

Disable security posture dashboard features at fleet level

  • To disable workload configuration auditing, run the following command:

    gcloud container fleet update --security-posture disabled
    
  • To disable workload vulnerability scanning, run the following command:

    gcloud container fleet update --workload-vulnerability-scanning disabled
    

If you disable fleet-level configuration for these features, your current workloads in existing member clusters are still scanned and you can see the security concerns on the security posture dashboard. However, any new clusters you create in that fleet won't be scanned for concerns, unless you enable the security posture features on them individually.

What's next