Review Container Threat Detection findings in the Security Command Center dashboard, and see examples of Container Threat Detection findings. Container Threat Detection is a built-in service for the Security Command Center Premium tier. To view Container Threat Detection findings, it must be enabled in Security Command Center Services settings.
The following video shows the steps to set up Container Threat Detection and provides information about how to use the dashboard. Learn more about viewing and managing Container Threat Detection findings in text later on this page.
Using a supported GKE version
To detect potential threats to your containers, you need to make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE). Container Threat Detection currently supports the following GKE versions on the Stable, Regular, and Rapid channels:
- >= 1.15.9-gke.12
- >= 1.16.5-gke.2
- >= 1.17
To use a supported GKE version and detect threats to your containers:
- Follow the guide to upgrade a cluster.
- Make sure that Container Threat Detection is enabled for the cluster:
- Go to the Security Command Center Settings page in the
Cloud Console.
Go to the Settings page - Navigate to Advanced settings and expand the menu. You see a list of your organization's resources.
- Under the Container Threat Detection column, select Enabled by default for each cluster you upgraded. The service is automatically enabled for child resources in folders if they are set to inherit. Manually enable Container Threat Detection for child resources that are not set to inherit.
- A dialog appears to confirm your choices. Read the message, then click Yes, I Understand.
- Go to the Security Command Center Settings page in the
Cloud Console.
- If your cluster is in a Virtual Private Cloud (VPC), enable Private Google Access for Container Threat Detection to work. Follow the guide to configure Private Google Access.
For more information, see configuring Security Command Center resources.
Checking GKE cluster configuration
Your GKE cluster configuration or Identity and Access Management (IAM) role restrictions must not block the creation or use of any objects that Container Threat Detection needs to function. This section explains how to configure essential GKE components to work with Container Threat Detection.
Kubernetes objects
After onboarding, Container Threat Detection creates several GKE objects in your enabled clusters. The objects are used to monitor container images, manage privileged containers and pods, and evaluate state to generate findings. The following table lists the objects, their properties, and essential functions.
| Object | Name* | Properties | Function |
|---|---|---|---|
| ClusterRole | pod-reader |
Grants get, watch, and list permissions on pods |
Preserves functionality when PodSecurityPolicy is enabled |
| ClusterRoleBinding | container-watcher-pod-reader
|
Grants pod-reader and gce:podsecuritypolicy:privileged roles to container-watcher-pod-reader ServiceAccount
|
|
| RoleBinding | gce:podsecuritypolicy:container-watcher |
Grants gce:podsecuritypolicy:privileged role to container-watcher-pod-reader ServiceAccount
|
|
| DaemonSet | container-watcher |
Privileged | Interactions with Linux Security Module and container engine |
| Mounts /host/ as read and write | Communication with Linux Security Module | ||
Mounts /etc/container-watcher/secrets as read-only to access container-watcher-token |
Authentication | ||
Uses hostNetwork |
Finding generation | ||
| Image gcr.io/gke-release/watcher-daemonset |
Enablement and upgrade | ||
| Backend containerthreatdetection-region.googleapis.com:443 |
Finding generation | ||
| ServiceAccount | container-watcher-pod-reader |
Enablement, upgrade, and disablement | |
| Secret | container-watcher-token |
Authentication |
* All objects are in the kube-system namespace, except container-watcher-pod-reader
and gce:podsecuritypolicy:container-watcher.
PodSecurityPolicy and Admission Controllers
A PodSecurityPolicy is
an admission controller resource you set up that validates requests to create
and update pods on your cluster. Container Threat Detection is compatible with
PodSecurityPolicies that are automatically applied when creating or updating a
cluster with the enable-pod-security-policy flag. Specifically,
Container Threat Detection uses the gce.privileged policy when PodSecurityPolicy
is enabled.
If you use custom PodSecurityPolicies or other admission controllers, they must not block the creation or use of objects Container Threat Detection needs to function. For example, a webhook-based admission controller that rejects or overrides privileged deployments could prevent Container Threat Detection from functioning properly.
Read Using PodSecurityPolicies for more information.
Required IAM permissions
Container Threat Detection's service account, created during onboarding, requires the
roles/containerthreatdetection.serviceAgent IAM role to
monitor clusters. Removing this default role from the service account could stop
Container Threat Detection from functioning properly.
Reviewing findings
When Container Threat Detection generates findings, you can view them in Security Command Center. If you have configured Security Command Center sinks to write to Google Cloud's operations suite, you can also view findings in Cloud Logging. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Container Threat Detection.
Container Threat Detection has the following latencies:
- Activation latency of 3.5 hours for newly onboarded organizations.
- Activation latency of minutes for newly created clusters.
- Detection latency of minutes for threats in clusters that have been activated.
Reviewing findings in Security Command Center
To review Container Threat Detection findings in Security Command Center:
- Go to the Security Command Center Findings tab in the Google Cloud Console.
Go to the Findings tab - Next to View by, click Source Type.
- In the Source type list, select Container Threat Detection.
- To view details about a specific finding, click the finding name under
category. The finding details panel expands to display information including the following:- The type of finding, like "Added Binary Executed"
- Source: "Container Threat Detection"
- Event time: when the finding occurred
- Finding ID: a unique identifier for the finding
- Resource name: the GKE cluster that is affected
- Finding properties with more information like:
- Container name
- Container creation time
- Container image URI and ID
- Additional fields based on the detector. For example, reverse shell findings include the IP address of the remote host.
Viewing findings in Cloud Logging
To view Container Threat Detection findings in Cloud Logging:
- Go to the Logs Viewer page for Cloud Logging in the
Cloud Console.
Go to the Logs Viewer page - On the Logs Viewer page, click Select, and then click the project where you are storing your Container Threat Detection logs.
- In the resource drop-down list, select Cloud Threat Detector.
- To view findings from all detectors, select all detector_name.
- To view findings from a specific detector, select its name.
Example findings
Read Container Threat Detection detectors to review example findings.
What's next
- Learn more about how Container Threat Detection works.