This page helps you get started and guides you in using the security posture dashboard to detect vulnerabilities. Check requirements, select from the available tiers, and learn how to enable vulnerability scanning, deploy a test workload, view results and recommendations, and disable the scanning.
This page is for Security specialists who monitor clusters for security issues. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE user roles and tasks .
Before reading this page, ensure that you're familiar with the general overview of workload vulnerability scanning .
Pricing
For pricing information, see GKE security posture dashboard pricing .
Before you begin
Before you start, make sure that you have performed the following tasks:
- Enable the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- If you want to use the Google Cloud CLI for this task, install
and then initialize
the
gcloud CLI. If you previously installed the gcloud CLI, get the latest
version by running
gcloud components update.
-
Enable the Container Security API.
-
To use advanced vulnerability insights, enable the Container Analysis API.
Requirements
-
To get the permissions that you need to use workload vulnerability scanning, ask your administrator to grant you the Security Posture Viewer (
roles/containersecurity.viewer) IAM role on your Google Cloud project. For more information about granting roles, see Manage access to projects, folders, and organizations .This predefined role contains the permissions required to use workload vulnerability scanning. To see the exact permissions that are required, expand the Required permissionssection:
Required permissions
The following permissions are required to use workload vulnerability scanning:
-
resourcemanager.projects.get -
resourcemanager.projects.list -
containersecurity.locations.list -
containersecurity.locations.get -
containersecurity.clusterSummaries.list -
containersecurity.findings.list
You might also be able to get these permissions with custom roles or other predefined roles .
-
- Advanced vulnerability insights requires GKE version 1.27 or later.
Workload vulnerability scanning tiers
You enable vulnerability scanning in tiers, each of which adds scanning capabilities as follows. If you use Google Kubernetes Engine (GKE) Enterprise edition to manage fleets of clusters, you can also configure fleet-level vulnerability scanning settings that apply to all member clusters. For instructions, see Configure GKE security posture dashboard features at fleet-level .
- GKE Enterprise edition : Enabled by default in all new clusters running version 1.27 and later
- Container OS vulnerability scanning
- Language package vulnerability scanning
- GKE Enterprise edition : Enabled by default in all new clusters running version 1.27 and later
- GKE Standard edition : Disabled by default in all new clusters.
For more information, about each capability, see About workload vulnerability scanning .
Enable container OS vulnerability scanning
Container OS vulnerability scanning is enabled by default in new Autopilot clusters running version 1.27 and later. This section shows you how to enable this feature in new existing Standard clusters and in Autopilot clusters running versions prior to 1.27.
Enable container OS scanning on an existing cluster
gcloud
Update the cluster:
gcloud container clusters update CLUSTER_NAME \ --location = CONTROL_PLANE_LOCATION \ --workload-vulnerability-scanning = standard
Replace the following:
-
CLUSTER_NAME: the name of your cluster. -
CONTROL_PLANE_LOCATION: the location of the control plane of your cluster. Provide a region for regional Standard and Autopilot clusters, or a zone for zonal Standard clusters.
Console
-
Go to the Security Posturepage in the Google Cloud console.
Go to Security Posture - Click the Settingstab.
- In the Vulnerability scan enabled clusterssection, click Select clusters.
- Select the checkboxes for the clusters that you want to add.
- In the Select actiondrop-down menu, select Set to Basic.
- Click Apply.
Enable advanced vulnerability insights
Advanced vulnerability insights enables continuous scanning of your running applications for the following vulnerability types:
- Container OS vulnerabilities
- Language package vulnerabilities
When you enable advanced vulnerability insights, the container OS vulnerability scanning capability is automatically enabled and can't be separately disabled.
Requirements
-
Ensure that you enabled the Container Analysis API in your project.
Enable Container Analysis API
Enable advanced vulnerability insights on an existing cluster
gcloud
Update the cluster:
gcloud container clusters update CLUSTER_NAME \ --location = CONTROL_PLANE_LOCATION \ --workload-vulnerability-scanning = enterprise
Replace the following:
-
CLUSTER_NAME: the name of your cluster. -
CONTROL_PLANE_LOCATION: the location of the control plane of your cluster. Provide a region for regional Standard and Autopilot clusters, or a zone for zonal Standard clusters.
Console
-
Go to the Security Posturepage in the Google Cloud console.
Go to Security Posture - Click the Settingstab.
- In the Vulnerability scan enabled clusterssection, click Select clusters.
- Select the checkboxes for the clusters that you want to add.
- In the Select actiondrop-down menu, select Set to Advanced.
- Click Apply.
Deploy a test workload
In the following section, you use example Deployment manifests. A Deployment is a Kubernetes API object that lets you run multiple replicas of Pods that are distributed among the nodes in a cluster.
The following manifests have known vulnerabilities for demonstration purposes. In practice, if you know an application is vulnerable, you probably shouldn't run it.
-
Save the following manifest as
os-vuln-sample.yaml:apiVersion : apps/v1 kind : Deployment metadata : name : frontend spec : replicas : 1 selector : matchLabels : app : guestbook tier : frontend template : metadata : labels : app : guestbook tier : frontend spec : containers : - name : php-redis image : us-docker.pkg.dev/google-samples/containers/gke/gb-frontend:v5 env : - name : GET_HOSTS_FROM value : "dns" resources : requests : cpu : 100m memory : 100Mi ports : - containerPort : 80 -
Review the following manifest, which contains a known Maven vulnerability:
-
Optionally, get credentials for your cluster:
gcloud container clusters get-credentials CLUSTER_NAME \ --location = CONTROL_PLANE_LOCATION -
Deploy the applications to your cluster:
kubectl apply -f os-vuln-sample.yaml kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/kubernetes-engine-samples/main/security/language-vulns/maven/deployment.yaml
To test other vulnerabilities, try deploying earlier versions of images such as nginx
in staging environments.
View and action the results
The initial scan takes at least 15 minutes to return results, depending on how many workloads are scanned. GKE displays the results on the security posture dashboardand automatically adds entries to Logging.
View results
To see an overview of discovered concerns across your project's clusters and workloads, do the following:
-
Go to the Security Posturepage in the Google Cloud console.
-
Click the Concernstab.
-
In the Filter concernspane, in the Concern typesection, select the Vulnerabilitycheckbox.
View concern details and recommendations
To view detailed information about a specific vulnerability, click the row containing that concern.
The Vulnerability Concernpane shows the following information:
- Description:a description of the concern including a CVE number if applicable and a detailed description of the vulnerability and its potential impact.
- Recommended action:actions that you can take to address the vulnerability, such as fixed package versions and where to apply the fix.
View logs for discovered concerns
GKE adds entries to the _Default
log bucket in Logging
for each discovered concern. These logs are only retained for a specific period. For details, see Logs retention periods
.
-
In the Google Cloud console, go to the Logs Explorer :
Go to Logs Explorer -
In the Query field, specify the following query:
resource . type = "k8s_cluster" jsonPayload . @ type = "type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding" jsonPayload . type = "FINDING_TYPE_VULNERABILITY"
-
Click Run query .
To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, see Configure log-based alerts .
Clean up
-
Delete the sample workload that you deployed:
kubectl delete deployment frontend -
Optionally, delete the cluster that you used:
gcloud container clusters delete CLUSTER_NAME \ --location = CONTROL_PLANE_LOCATION
Disable workload vulnerability scanning
You can disable workload vulnerability scanning using either the gcloud CLI or the Google Cloud console.
gcloud
Run the following command:
gcloud container clusters update CLUSTER_NAME \ --location = CONTROL_PLANE_LOCATION \ --workload-vulnerability-scanning = disabled
Replace the following:
-
CLUSTER_NAME: the name of your cluster. -
CONTROL_PLANE_LOCATION: the location of the control plane of your cluster. Provide a region for regional Standard and Autopilot clusters, or a zone for zonal Standard clusters.
Console
-
Go to the Security Posturepage in the Google Cloud console.
Go to Security Posture - Click the Settingstab.
- In the Vulnerability scan enabled clusterssection, click Select clusters.
- Select the checkboxes for the clusters that you want to remove.
- In the Select actiondrop-down menu, select Set to Disabled.
- Click Apply.
