This page shows you how to automatically scan the container operating system (OS) and language packages in your running workloads for known vulnerabilities and get actionable mitigation strategies if available. Workload vulnerability scanning is a part of the security posture dashboard, which is a set of features that provide opinionated information and recommendations to improve the security of your Google Kubernetes Engine (GKE) clusters and workloads.
To learn more, see About workload vulnerability scanning.
Pricing
For pricing information, see GKE security posture dashboard pricing.
Before you begin
Before you start, make sure you have performed the following tasks:
- Enable the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- If you want to use the Google Cloud CLI for this task,
install and then
initialize the
gcloud CLI. If you previously installed the gcloud CLI, get the latest
version by running
gcloud components update
.
Enable the Container Security API.
To use advanced vulnerability insights, enable the Container Analysis API.
Requirements
-
To get the permissions that you need to use workload vulnerability scanning, ask your administrator to grant you the Security Posture Viewer (
roles/containersecurity.viewer
) IAM role on your Google Cloud project. For more information about granting roles, see Manage access to projects, folders, and organizations.This predefined role contains the permissions required to use workload vulnerability scanning. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to use workload vulnerability scanning:
-
resourcemanager.projects.get
-
resourcemanager.projects.list
-
containersecurity.locations.list
-
containersecurity.locations.get
-
containersecurity.clusterSummaries.list
-
containersecurity.findings.list
You might also be able to get these permissions with custom roles or other predefined roles.
-
- Advanced vulnerability insights requires GKE version 1.27 or later.
Workload vulnerability scanning tiers
You enable vulnerability scanning in tiers, each of which adds scanning capabilities as follows. If you use Google Kubernetes Engine (GKE) Enterprise edition to manage fleets of clusters, you can also configure fleet-level vulnerability scanning settings that apply to all member clusters. For instructions, see Configure GKE security posture dashboard features at fleet-level.
Tier | Enabled capabilities | GKE version requirement |
---|---|---|
Standardstandard |
Container OS vulnerability scanning |
|
Advanced vulnerability insightsenterprise |
|
|
For more information, about each capability, see About workload vulnerability scanning.
Enable container OS vulnerability scanning
Container OS vulnerability scanning is enabled by default in new Autopilot clusters running version 1.27 and later. This section shows you how to enable this feature in new existing Standard clusters and in Autopilot clusters running versions prior to 1.27.
Enable container OS scanning on a new cluster
gcloud
Create a new GKE cluster using the gcloud CLI:
gcloud container clusters create CLUSTER_NAME \ --location=LOCATION \ --workload-vulnerability-scanning=standard
Replace the following:
CLUSTER_NAME
: the name of your new cluster.LOCATION
: the Compute Engine location for your cluster.
Console
Go to the Google Kubernetes Engine page in the Google Cloud console.
Go to Google Kubernetes Engine- Click Create.
- In the GKE Standard section, click Configure.
- In the navigation pane, click Security.
- In the Security section, select the Vulnerability scan checkbox.
- Select the Basic option.
- Configure other options for your cluster and click Create when you're ready.
Enable container OS scanning on an existing cluster
gcloud
Update the cluster:
gcloud container clusters update CLUSTER_NAME \ --location=LOCATION \ --workload-vulnerability-scanning=standard
Replace the following:
CLUSTER_NAME
: the name of your cluster.LOCATION
: the Compute Engine location of your cluster.
Console
Go to the Security Posture page in the Google Cloud console.
Go to Security Posture- Click the Settings tab.
- In the Vulnerability scan enabled clusters section, click Select clusters.
- Select the checkboxes for the clusters that you want to add.
- In the Select action drop-down menu, select Set to Basic.
- Click Apply.
Enable advanced vulnerability insights
Advanced vulnerability insights enables continuous scanning of your running applications for the following vulnerability types:
- Container OS vulnerabilities
- Language package vulnerabilities
When you enable advanced vulnerability insights, the container OS vulnerability scanning capability is automatically enabled and can't be separately disabled.
Requirements
Ensure that you enabled the Container Analysis API in your project.
Enable Container Analysis API
Enable advanced vulnerability insights on a new cluster
gcloud
Create a new GKE cluster using the gcloud CLI:
gcloud container clusters create-auto CLUSTER_NAME \ --location=LOCATION \ --workload-vulnerability-scanning=enterprise
Replace the following:
CLUSTER_NAME
: the name of your new cluster.LOCATION
: the Compute Engine location for your cluster.
Console
Go to the Google Kubernetes Engine page in the Google Cloud console.
Go to Google Kubernetes Engine- Click Create.
- In the GKE Autopilot section, click Configure.
- In the navigation pane, click Advanced settings. If you're creating a Standard cluster, click Security instead.
- In the Security section, select the Vulnerability scan checkbox.
- Select the Advanced option.
- Configure other options for your cluster and click Create when you're ready.
Enable advanced vulnerability insights on an existing cluster
gcloud
Update the cluster:
gcloud container clusters update CLUSTER_NAME \ --location=LOCATION \ --workload-vulnerability-scanning=enterprise
Replace the following:
CLUSTER_NAME
: the name of your cluster.LOCATION
: the Compute Engine location of your cluster.
Console
Go to the Security Posture page in the Google Cloud console.
Go to Security Posture- Click the Settings tab.
- In the Vulnerability scan enabled clusters section, click Select clusters.
- Select the checkboxes for the clusters that you want to add.
- In the Select action drop-down menu, select Set to Advanced.
- Click Apply.
Deploy a test workload
The following example manifests have known vulnerabilities for demonstration purposes. In practice, if you know an application is vulnerable, you probably shouldn't run it.
Save the following manifest as
os-vuln-sample.yaml
:apiVersion: apps/v1 kind: Deployment metadata: name: frontend spec: replicas: 1 selector: matchLabels: app: guestbook tier: frontend template: metadata: labels: app: guestbook tier: frontend spec: containers: - name: php-redis image: us-docker.pkg.dev/google-samples/containers/gke/gb-frontend@sha256:dc8de8e0d569d2f828b187528c9317bd6b605c273ac5a282aebe471f630420fc env: - name: GET_HOSTS_FROM value: "dns" resources: requests: cpu: 100m memory: 100Mi ports: - containerPort: 80
Review the following manifest, which contains a known Maven vulnerability:
Optionally, get credentials for your cluster:
gcloud container clusters get-credentials CLUSTER_NAME \ --region=COMPUTE_REGION
Deploy the applications to your cluster:
kubectl apply -f os-vuln-sample.yaml kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/kubernetes-engine-samples/main/security/language-vulns/maven/deployment.yaml
To test other vulnerabilities, try deploying earlier versions of images such as
nginx
in staging environments.
View and action the results
The initial scan takes at least 15 minutes to return results, depending on how many workloads are scanned. GKE displays the results on the security posture dashboard and automatically adds entries to Logging.
View results
To see an overview of discovered concerns across your project's clusters and workloads, do the following:
Go to the Security Posture page in the Google Cloud console.
Click the Concerns tab.
In the Filter concerns pane, in the Concern type section, select the Vulnerability checkbox.
View concern details and recommendations
To view detailed information about a specific vulnerability, click the row containing that concern.
The Vulnerability Concern pane shows the following information:
- Description: a description of the concern including a CVE number if applicable and a detailed description of the vulnerability and its potential impact.
- Recommended action: actions that you can take to address the vulnerability, such as fixed package versions and where to apply the fix.
View logs for discovered concerns
GKE adds entries to the _Default
log bucket in Logging
for each discovered concern. These logs are only retained for a specific period. For details, see
Logs retention periods.
In the Google Cloud console, go to the Logs Explorer:
Go to Logs ExplorerIn the Query field, specify the following query:
resource.type="k8s_cluster" jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding" jsonPayload.type="FINDING_TYPE_VULNERABILITY"
Click Run query.
To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, see Configure log-based alerts.
Clean up
Delete the sample workload that you deployed:
kubectl delete deployment frontend
Optionally, delete the cluster that you used:
gcloud container clusters delete CLUSTER_NAME \ --region=COMPUTE_REGION
Disable workload vulnerability scanning
You can disable workload vulnerability scanning using either the gcloud CLI or the Google Cloud console.
gcloud
Run the following command:
gcloud container clusters update CLUSTER_NAME \ --region=LOCATION \ --workload-vulnerability-scanning=disabled
Replace the following:
CLUSTER_NAME
: the name of your cluster.LOCATION
: the Compute Engine region or zone for your cluster.
Console
Go to the Security Posture page in the Google Cloud console.
Go to Security Posture- Click the Settings tab.
- In the Vulnerability scan enabled clusters section, click Select clusters.
- Select the checkboxes for the clusters that you want to remove.
- In the Select action drop-down menu, select Set to Disabled.
- Click Apply.
What's next
- Learn more about the security posture dashboard.
- Learn how to scan your workloads for configuration concerns.