Using Container Threat Detection

Review Container Threat Detection findings in the Security Command Center dashboard, and see examples of Container Threat Detection findings. Container Threat Detection is a built-in service for the Security Command Center Premium tier. To view Container Threat Detection findings, it must be enabled in Security Command Center Services settings.

The following video shows the steps to set up Container Threat Detection and provides information about how to use the dashboard. Learn more about viewing and managing Container Threat Detection findings in text later on this page.

Using a supported GKE version

To detect potential threats to your containers, you need to make sure that your clusters are on a supported version of Google Kubernetes Engine (GKE). Container Threat Detection currently supports the following GKE versions on the Stable, Regular, and Rapid channels:

  • >= 1.15.9-gke.12
  • >= 1.16.5-gke.2
  • >= 1.17

To use a supported GKE version and detect threats to your containers:

  1. Follow the guide to upgrade a cluster.
  2. Make sure that Container Threat Detection is enabled for the cluster:
    1. Go to the Security Command Center Settings page in the Cloud Console.
      Go to the Settings page
    2. Navigate to Advanced settings and expand the menu. You see a list of your organization's resources.
    3. Under the Container Threat Detection column, select Enabled by default for each cluster you upgraded. The service is automatically enabled for child resources in folders if they are set to inherit. Manually enable Container Threat Detection for child resources that are not set to inherit.
    4. A dialog appears to confirm your choices. Read the message, then click Yes, I Understand.
  3. If your cluster is in a Virtual Private Cloud (VPC), enable Private Google Access for Container Threat Detection to work. Follow the guide to configure Private Google Access.

For more information, see configuring Security Command Center resources.

Checking GKE cluster configuration

Your GKE cluster configuration or Identity and Access Management (IAM) role restrictions must not block the creation or use of any objects that Container Threat Detection needs to function. This section explains how to configure essential GKE components to work with Container Threat Detection.

Kubernetes objects

After onboarding, Container Threat Detection creates several GKE objects in your enabled clusters. The objects are used to monitor container images, manage privileged containers and pods, and evaluate state to generate findings. The following table lists the objects, their properties, and essential functions.

Object Name* Properties Function
ClusterRole pod-reader Grants get, watch, and list permissions on pods Preserves functionality when PodSecurityPolicy is enabled
ClusterRoleBinding container-watcher-pod-reader

gce:podsecuritypolicy:container-watcher

Grants pod-reader and gce:podsecuritypolicy:privileged roles to container-watcher-pod-reader ServiceAccount
RoleBinding gce:podsecuritypolicy:container-watcher Grants gce:podsecuritypolicy:privileged role to container-watcher-pod-reader ServiceAccount
DaemonSet container-watcher Privileged Interactions with Linux Security Module and container engine
Mounts /host/ as read and write Communication with Linux Security Module
Mounts /etc/container-watcher/secrets as read-only to access container-watcher-token Authentication
Uses hostNetwork Finding generation
Image
gcr.io/gke-release/watcher-daemonset
Enablement and upgrade
Backend
containerthreatdetection-region.googleapis.com:443
Finding generation
ServiceAccount container-watcher-pod-reader Enablement, upgrade, and disablement
Secret container-watcher-token Authentication

* All objects are in the kube-system namespace, except container-watcher-pod-reader and gce:podsecuritypolicy:container-watcher.

PodSecurityPolicy and Admission Controllers

A PodSecurityPolicy is an admission controller resource you set up that validates requests to create and update pods on your cluster. Container Threat Detection is compatible with PodSecurityPolicies that are automatically applied when creating or updating a cluster with the enable-pod-security-policy flag. Specifically, Container Threat Detection uses the gce.privileged policy when PodSecurityPolicy is enabled.

If you use custom PodSecurityPolicies or other admission controllers, they must not block the creation or use of objects Container Threat Detection needs to function. For example, a webhook-based admission controller that rejects or overrides privileged deployments could prevent Container Threat Detection from functioning properly.

Read Using PodSecurityPolicies for more information.

Required IAM permissions

Container Threat Detection's service account, created during onboarding, requires the roles/containerthreatdetection.serviceAgent IAM role to monitor clusters. Removing this default role from the service account could stop Container Threat Detection from functioning properly.

Reviewing findings

When Container Threat Detection generates findings, you can view them in Security Command Center. If you have configured Security Command Center sinks to write to Google Cloud's operations suite, you can also view findings in Cloud Logging. To generate a finding and verify your configuration, you can intentionally trigger a detector and test Container Threat Detection.

Container Threat Detection has the following latencies:

  • Activation latency of 3.5 hours for newly onboarded organizations.
  • Activation latency of minutes for newly created clusters.
  • Detection latency of minutes for threats in clusters that have been activated.

Reviewing findings in Security Command Center

To review Container Threat Detection findings in Security Command Center:

  1. Go to the Security Command Center Findings tab in the Google Cloud Console.
    Go to the Findings tab
  2. Next to View by, click Source Type.
  3. In the Source type list, select Container Threat Detection.
  4. To view details about a specific finding, click the finding name under category. The finding details panel expands to display information including the following:
    • The type of finding, like "Added Binary Executed"
    • Source: "Container Threat Detection"
    • Event time: when the finding occurred
    • Finding ID: a unique identifier for the finding
    • Resource name: the GKE cluster that is affected
    • Finding properties with more information like:
      • Container name
      • Container creation time
      • Container image URI and ID
      • Additional fields based on the detector. For example, reverse shell findings include the IP address of the remote host.

Viewing findings in Cloud Logging

To view Container Threat Detection findings in Cloud Logging:

  1. Go to the Logs Viewer page for Cloud Logging in the Cloud Console.
    Go to the Logs Viewer page
  2. On the Logs Viewer page, click Select, and then click the project where you are storing your Container Threat Detection logs.
  3. In the resource drop-down list, select Cloud Threat Detector.
    • To view findings from all detectors, select all detector_name.
    • To view findings from a specific detector, select its name.

Example findings

Read Container Threat Detection detectors to review example findings.

What's next