Automatically scan workloads for known vulnerabilities

This page shows you how to automatically scan the container operating system (OS) and language packages in your running workloads for known vulnerabilities and get actionable mitigation strategies if available. Workload vulnerability scanning is a part of the security posture dashboard, which is a set of features that provide opinionated information and recommendations to improve the security of your Google Kubernetes Engine (GKE) clusters and workloads.

To learn more, see About workload vulnerability scanning.

Pricing

For pricing information, see GKE security posture dashboard pricing.

Before you begin

Before you start, make sure you have performed the following tasks:

  • Enable the Google Kubernetes Engine API.
    • Enable Google Kubernetes Engine API
  • If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running gcloud components update.

Requirements

  • To get the permissions that you need to use workload vulnerability scanning, ask your administrator to grant you the Security Posture Viewer (roles/containersecurity.viewer) IAM role on your Google Cloud project. For more information about granting roles, see Manage access.

    This predefined role contains the permissions required to use workload vulnerability scanning. To see the exact permissions that are required, expand the Required permissions section:

    Required permissions

    The following permissions are required to use workload vulnerability scanning:

    • resourcemanager.projects.get
    • resourcemanager.projects.list
    • containersecurity.locations.list
    • containersecurity.locations.get
    • containersecurity.clusterSummaries.list
    • containersecurity.findings.list

    You might also be able to get these permissions with custom roles or other predefined roles.

  • Container OS vulnerability scanning requires GKE version 1.23.5-gke.700 or later. Advanced vulnerability insights requires GKE version 1.27 or later.

Workload vulnerability scanning tiers

You enable vulnerability scanning in tiers, each of which adds scanning capabilities as follows. If you use Google Kubernetes Engine (GKE) Enterprise edition to manage fleets of clusters, you can also configure fleet-level vulnerability scanning settings that apply to all member clusters. For instructions, see Configure GKE security posture dashboard features at fleet-level.

Tier Enabled capabilities GKE version requirement
Standard
standard		 Container OS vulnerability scanning
  • Requires version 1.23.5-gke.700 or later
  • Enabled by default in Autopilot clusters running version 1.27 or later
  • Disabled by default in Standard clusters
Advanced vulnerability insights
enterprise
  • Container OS vulnerability scanning
  • Language package vulnerability scanning
  • Requires version 1.27 or later
  • Disabled by default in Autopilot and Standard

For more information, about each capability, see About workload vulnerability scanning.

Enable container OS vulnerability scanning

Container OS vulnerability scanning is enabled by default in new Autopilot clusters running version 1.27 and later. This section shows you how to enable this feature in new existing Standard clusters and in Autopilot clusters running versions prior to 1.27.

Enable container OS scanning on a new cluster

gcloud

Create a new GKE cluster using the gcloud CLI: 

gcloud container clusters create CLUSTER_NAME \
    --location=LOCATION \
    --workload-vulnerability-scanning=standard

Replace the following:

Console

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine
  2. Click Create.
  3. In the GKE Standard section, click Configure.
  4. In the navigation pane, click Security.
  5. In the Security section, select the Vulnerability scan checkbox.
  6. Select the Basic option.
  7. Configure other options for your cluster and click Create when you're ready.

Enable container OS scanning on an existing cluster

gcloud

Update the cluster: 

gcloud container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --workload-vulnerability-scanning=standard

Replace the following:

Console

  1. Go to the Security Posture page in the Google Cloud console.

    Go to Security Posture
  2. Click the Settings tab.
  3. In the Vulnerability scan enabled clusters section, click Select clusters.
  4. Select the checkboxes for the clusters that you want to add.
  5. In the Select action drop-down menu, select Set to Basic.
  6. Click Apply.

Enable advanced vulnerability insights

Advanced vulnerability insights enables continuous scanning of your running applications for the following vulnerability types:

  • Container OS vulnerabilities
  • Language package vulnerabilities

When you enable advanced vulnerability insights, the container OS vulnerability scanning capability is automatically enabled and can't be separately disabled.

Requirements

Enable advanced vulnerability insights on a new cluster

gcloud

Create a new GKE cluster using the gcloud CLI: 

gcloud container clusters create-auto CLUSTER_NAME \
    --location=LOCATION \
    --workload-vulnerability-scanning=enterprise

Replace the following:

Console

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine
  2. Click Create.
  3. In the GKE Autopilot section, click Configure.
  4. In the navigation pane, click Advanced settings. If you're creating a Standard cluster, click Security instead.
  5. In the Security section, select the Vulnerability scan checkbox.
  6. Select the Advanced option.
  7. Configure other options for your cluster and click Create when you're ready.

Enable advanced vulnerability insights on an existing cluster

gcloud

Update the cluster: 

gcloud container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --workload-vulnerability-scanning=enterprise

Replace the following:

Console

  1. Go to the Security Posture page in the Google Cloud console.

    Go to Security Posture
  2. Click the Settings tab.
  3. In the Vulnerability scan enabled clusters section, click Select clusters.
  4. Select the checkboxes for the clusters that you want to add.
  5. In the Select action drop-down menu, select Set to Advanced.
  6. Click Apply.

Deploy a test workload

The following example manifests have known vulnerabilities for demonstration purposes. In practice, if you know an application is vulnerable, you probably shouldn't run it.

  1. Save the following manifest as os-vuln-sample.yaml:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: frontend
spec:
  replicas: 1
  selector:
    matchLabels:
      app: guestbook
      tier: frontend
  template:
    metadata:
      labels:
        app: guestbook
        tier: frontend
    spec:
      containers:
      - name: php-redis
        image: us-docker.pkg.dev/google-samples/containers/gke/gb-frontend@sha256:dc8de8e0d569d2f828b187528c9317bd6b605c273ac5a282aebe471f630420fc
        env:
        - name: GET_HOSTS_FROM
          value: "dns"
        resources:
          requests:
            cpu: 100m
            memory: 100Mi
        ports:
        - containerPort: 80

  2. Review the following manifest, which contains a known Maven vulnerability:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: maven-vulns
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mavenvulns
  template:
    metadata:
      labels:
        app: mavenvulns
    spec:
      containers:
      - name: maven-vulns-app
        image: us-docker.pkg.dev/google-samples/containers/gke/security/maven-vulns
        # This app listens on port 8080 for web traffic by default.
        ports:
        - containerPort: 8080
        env:
          - name: PORT
            value: "8080"
        resources:
          requests:
            memory: "1Gi"
            cpu: "500m"
            ephemeral-storage: "1Gi"
          limits:
            memory: "1Gi"
            cpu: "500m"
            ephemeral-storage: "1Gi"

  3. Optionally, get credentials for your cluster:

    gcloud container clusters get-credentials CLUSTER_NAME \
    --region=COMPUTE_REGION

  4. Deploy the applications to your cluster:

    kubectl apply -f os-vuln-sample.yaml
kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/kubernetes-engine-samples/main/security/language-vulns/maven/deployment.yaml

To test other vulnerabilities, try deploying earlier versions of images such as nginx in staging environments.

View and action the results

The initial scan takes at least 15 minutes to return results, depending on how many workloads are scanned. GKE displays the results on the security posture dashboard and automatically adds entries to Logging.

View results

To see an overview of discovered concerns across your project's clusters and workloads, do the following:

  1. Go to the Security Posture page in the Google Cloud console.

    Go to Security Posture

  2. Click the Concerns tab.

  3. In the Filter concerns pane, in the Concern type section, select the Vulnerability checkbox.

View concern details and recommendations

To view detailed information about a specific vulnerability, click the row containing that concern.

The Vulnerability Concern pane shows the following information:

  • Description: a description of the concern including a CVE number if applicable and a detailed description of the vulnerability and its potential impact.
  • Recommended action: actions that you can take to address the vulnerability, such as fixed package versions and where to apply the fix.

View logs for discovered concerns

GKE adds entries to Logging for each discovered concern.

  1. Go to the Logs Explorer in the Google Cloud console.

    Go to Logs Explorer

  2. In the Query field, specify the following query:

    resource.type="k8s_cluster"
jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding"
jsonPayload.type="FINDING_TYPE_VULNERABILITY"

  3. Click Run query.

To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, see Configure log-based alerts.

Clean up

  1. Delete the sample workload that you deployed:

    kubectl delete deployment frontend

  2. Optionally, delete the cluster that you used:

    gcloud container clusters delete CLUSTER_NAME \
    --region=COMPUTE_REGION

Disable workload vulnerability scanning

You can disable workload vulnerability scanning using either the gcloud CLI or the Google Cloud console.

gcloud

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --region=LOCATION \
    --workload-vulnerability-scanning=disabled

Replace the following:

Console

  1. Go to the Security Posture page in the Google Cloud console.

    Go to Security Posture
  2. Click the Settings tab.
  3. In the Vulnerability scan enabled clusters section, click Select clusters.
  4. Select the checkboxes for the clusters that you want to remove.
  5. In the Select action drop-down menu, select Set to Disabled.
  6. Click Apply.

What's next