Google Cloud provides a range of features to secure your fleet and the applications that run on it. This page provides an overview of fleet security features, with links to find out more.
Manage identity
Google Cloud provides the following options for authenticating to fleet clusters in a simple, consistent, and secured way, wherever the clusters live. After you have set up authentication, you can configure more fine-grained access control to your clusters using Kubernetes role-based access control (RBAC).
Authenticate with Google Cloud
All GKE clusters on Google Cloud are configured to accept Google Cloud user and service account identities by default. If your fleet contains clusters in multiple environments, you can configure the Connect gateway so that users and service accounts can also authenticate to any registered cluster using their Google Cloud ID.
Learn more about setting up and using authentication with Google Cloud in the following guides:
- Configuring cluster access for
kubectl
- Connecting to registered clusters with the Connect gateway
- Setting up the Connect gateway
- Using the Connect gateway
Authenticate with third-party providers
If you want to use your existing third-party identity provider to authenticate to your fleet clusters, GKE Identity Service is an authentication service that lets you bring your existing identity solutions to multiple environments. It supports all OpenID Connect (OIDC) providers such as Okta and Microsoft AD FS, as well as preview support for LDAP providers in some environments. You can set up GKE Identity Service on a cluster-by-cluster basis or with a single configuration for your entire fleet, where supported.
Learn more about setting up and using third-party authentication, including supported environments and providers, in the following guides:
Authenticate with a bearer token
If the preceding Google-provided solutions aren't suitable for your organization, you can set up authentication using a Kubernetes service account and using its bearer token to log in. For details, see Set up using a bearer token.
Manage fleet security
Google Cloud provides a range of features and products that improve the security of your fleets and workloads, such as the following:
- Binary Authorization to ensure that only trusted images are deployed on your fleet clusters
- Kubernetes network policies to control connections between Pods
- Fine-grained service access control for Cloud Service Mesh
- The GKE security posture dashboard to monitor your clusters' security posture.
Monitor fleet security posture
The GKE security posture dashboard helps you assess and manage your fleet's GKE clusters for security concerns and get actionable recommendations to fix them. Capabilities include:
- Configuration auditing: Misconfigurations in workload specifications, such as over-privileged Pods.
- Vulnerability scanning: Actionable vulnerabilities in container operating systems or language packages.
- Compliance auditing with Policy Controller (for projects with GKE Enterprise enabled only)
The dashboard displays discovered concerns for all of the clusters in the selected fleet and for any standalone GKE clusters in the selected project.
- For details and a full list of capabilities, see About the security posture dashboard.
- For pricing information, see GKE security posture dashboard pricing.
Configure security posture dashboard features at fleet level
If you have enabled GKE Enterprise, you can manage some security dashboard features at fleet level, so that all the clusters in your fleet can use the same default settings for security observability.
- Learn how to configure security posture dashboard features for your fleet.
Fleet security resources
Learn more about fleet security features in the following guides:
- Binary Authorization
- Kubernetes network policies
- Application security in Cloud Service Mesh:
- About the security posture dashboard
Monitor cluster compliance with industry standards
The GKE Compliance dashboard gives you an overview of your cluster's compliance with industry standards such as CIS GKE Benchmark and the Kubernetes Pod Security Standards. The dashboard automates compliance reporting, provides a detailed list of any concerns found as well as actionable recommendations.
- For details on enabling compliance auditing, see Audit clusters for compliance standards.
- For details on the compliance dashboard, see About the GKE Compliance dashboard.
Manage cluster policies
Policy Controller enables the enforcement of fully programmable policies for your fleet clusters. These policies act as "guardrails" and prevent any changes to the configuration of the Kubernetes API from violating security, operational, or compliance controls.
Learn more about what you can do with Policy Controller in the Policy Controller documentation.