This page shows you how to automatically audit your clusters for compliance concerns and get actionable recommendations to improve the compliance of your Google Kubernetes Engine (GKE) Enterprise edition clusters. Compliance auditing is a feature of the GKE Compliance dashboard. For more information, see About the GKE Compliance dashboard.
Supported compliance standards
Compliance auditing scans your clusters for compliance against the following standards and provides recommendations to improve your compliance posture:
Name |
Description |
CIS Google Kubernetes Engine Benchmark v1.5.0 |
A set of recommended security controls for configuring Google Kubernetes Engine (GKE), based on the CIS Google Kubernetes Engine (GKE) Benchmarks v1.5.0. |
Pod Security Standards Baseline |
A set of recommended protections for Kubernetes clusters, based on the Kubernetes Pod Security Standards (PSS) Baseline policy. |
Pod Security Standards Restricted |
A set of recommended protections for Kubernetes clusters, based on the Kubernetes Pod Security Standards (PSS) Restricted policy. |
The default set of standards includes all three supported standards:
- CIS Google Kubernetes Engine Benchmark v1.5.0
- Pod Security Standards Baseline
- Pod Security Standards Restricted
Pricing
The GKE Compliance dashboard is available for users who have enabled GKE Enterprise.
Before you begin
Before you start, make sure you have performed the following tasks:
Enable the Container Security API.
Requirements
To get the permissions that you need to use compliance auditing, ask your administrator to grant you the following IAM roles on your Google Cloud project:
-
Container Security Viewer (
roles/containersecurity.viewer) -
Fleet Viewer (formerly GKE Hub Viewer) (
roles/gkehub.viewer)
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to use compliance auditing. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to use compliance auditing:
-
resourcemanager.projects.get -
resourcemanager.projects.list -
containersecurity.locations.list -
containersecurity.locations.get -
containersecurity.clusterSummaries.list -
containersecurity.findings.list -
container.clusters.list -
gkehub.features.get -
gkehub.memberships.list
You might also be able to get these permissions with custom roles or other predefined roles.
Enable auditing on an existing cluster
You can enable compliance auditing on your cluster by using the Google Cloud console.
Go to the Compliance page in the Google Cloud console.
In the Settings card, click Select clusters.
In the Audit disabled tab, select the checkboxes for the clusters that you want to add.
Click Enable to enable auditing on those clusters.
Deploy a test workload
Deploy a sample Pod that intentionally violates the Pod Security Standards.
Save the following manifest as
noncompliant-sample.yaml:apiVersion: v1 kind: Pod metadata: namespace: default name: wp-non-compliant labels: app: wordpress spec: containers: - image: nginx name: wordpress securityContext: capabilities: add: - NET_RAWApply the resource to your cluster:
kubectl apply -f noncompliant-sample.yaml
If you want to try other violations, modify noncompliant-sample.yaml with a
different, non-compliant configuration.
View and resolve compliance issues
The initial audit takes up to 30 minutes to return results. You can view the results on the Compliance page or as entries in your cluster logs.
View results
To see an overview of compliance issues across your project's clusters, do the following:
Go to the Compliance page in the Google Cloud console.
Click the Concerns tab.
In the Filter concerns pane, in the Standards section, select the standard for which you want details.
View standard details and recommendations
To view detailed information about a specific standard, expand the standard section until you see the description link and then click the standard description to open the Compliance Constraint pane.
The Details tab shows the following information:
- Description: a description of the standard.
- Recommended action: an overview of actions that you can take to fix the compliance issue.
The Affected Resources tab lists the resources affected by the standard.
View logs for discovered concerns
GKE adds entries to the _Default log bucket in Logging
for each discovered concern. These logs are only retained for a specific period. For details, see
Logs retention periods.
In the Google Cloud console, go to the Logs Explorer:
Go to Logs ExplorerIn the Query field, specify the following query:
resource.type="k8s_cluster" jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding" jsonPayload.type="FINDING_TYPE_MISCONFIG" jsonPayload.configuration.violation:*
Click Run query.
To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, see Configure log-based alerts.
Clean up
Delete the sample Pod that you deployed:
kubectl delete pod wp-non-compliant
Disable compliance auditing
You can disable compliance auditing by using the Google Cloud console.
Go to the Compliance page in the Google Cloud console.
In the Settings card, click Select clusters.
In the Audit enabled tab, select the checkboxes for the clusters that you want to remove.
Click Disable to disable auditing on those clusters.
Limitations
- Windows Server node pools aren't supported.
- Compliance auditing doesn't scan GKE-managed workloads, such as workloads in the kube-system namespace.
- Compliance auditing is only available for clusters with less than 1,000 nodes.