This page explains how to configure fleet-level default settings for theGoogle Kubernetes Engine (GKE)
security posture dashboard.
The security posture dashboard
provides you with opinionated and actionable recommendations to improve your
clusters' security posture. You
can enable settings for the security posture dashboard at the fleet level.
You can create fleet-level defaults for the
security posture dashboard settings of
Kubernetes security posture scanning.
This page is for Security specialists who want to implement first-party
vulnerability detection solutions across a fleet of clusters. To learn more about
common roles and example tasks that we reference in Google Cloud content, seeCommon GKE user roles and tasks.
This section describes how to configure security posture dashboard features
as fleet-level defaults. Any new clusters that you register to a fleet during
cluster creation have your specified security posture features enabled.
The fleet-level default settings that you configure take priority over any
default GKE security posture settings. To view the default
settings that apply to your edition of GKE, see theCluster-specific features table.
To configure fleet-level defaults for security posture, complete the
following steps:
Console
In the Google Cloud console, go to theFeature Managerpage.
Review your fleet-level settings. All new clusters you register to the
fleet inherit these settings.
Optional: To change the default settings, clickCustomize fleet
settings. In theCustomize fleet default configurationdialog that
appears, do the following:
ForVulnerability scanning(Deprecated), select the level ofvulnerability scanningthat you want;Disabled,Basic, orAdvanced (recommended).
ClickSave.
If you later disable fleet-level configuration for these features, your
current workloads in existing member clusters are still scanned and you
can see the security concerns on the security posture dashboard.
However, any new clusters you create in that fleet won't be scanned for
concerns, unless you enable the security posture features on them
individually.
To apply the setting to new clusters, clickConfigure.
In the confirmation dialog, clickConfirm.
Optional: Sync existing clusters to the default settings:
In theClusters in the fleetlist, select the clusters that you want
to sync.
ClickSync to fleet settingsand clickConfirmin the
confirmation dialog that appears. This operation can take a few minutes
to complete.
If you disable fleet-level configuration for these features, your current
workloads in existing member clusters are still scanned and you can see the
security concerns on the security posture dashboard. However, any new
clusters you create in that fleet won't be scanned for concerns, unless you
enable the security posture features on them individually.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-02 UTC."],[],[],null,["[Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview) [Standard](/kubernetes-engine/docs/concepts/choose-cluster-mode)\n\n*** ** * ** ***\n\nThis page explains how to configure fleet-level default settings for the [Google Kubernetes Engine (GKE)\nsecurity posture dashboard](/kubernetes-engine/docs/concepts/about-security-posture-dashboard).\nThe security posture dashboard\nprovides you with opinionated and actionable recommendations to improve your\nclusters' security posture. You\ncan enable settings for the security posture dashboard at the fleet level.\n\nYou can create fleet-level defaults for the\nsecurity posture dashboard settings of\nKubernetes security posture scanning.\n\nThis page is for Security specialists who want to implement first-party\nvulnerability detection solutions across a fleet of clusters. To learn more about\ncommon roles and example tasks that we reference in Google Cloud content, see\n[Common GKE user roles and tasks](/kubernetes-engine/enterprise/docs/concepts/roles-tasks).\n\nBefore reading this page, ensure that you're familiar with the general overview\nof [workload vulnerability scanning](/kubernetes-engine/docs/concepts/about-workload-vulnerability-scanning).\n\nTo learn how to configure these settings for individual clusters, see the\nfollowing resources:\n\n- [Automatically audit workloads for configuration issues](/kubernetes-engine/docs/how-to/protect-workload-configuration)\n- [Automatically scan workloads for known vulnerabilities](/kubernetes-engine/docs/how-to/security-posture-vulnerability-scanning) (Deprecated)\n\nConfigure fleet-level defaults\n\nThis section describes how to configure security posture dashboard features\nas fleet-level defaults. Any new clusters that you register to a fleet during\ncluster creation have your specified security posture features enabled.\nThe fleet-level default settings that you configure take priority over any\ndefault GKE security posture settings. To view the default\nsettings that apply to your edition of GKE, see the\n[Cluster-specific features table](/kubernetes-engine/docs/concepts/about-security-posture-dashboard#cluster-specific-features).\n\nTo configure fleet-level defaults for security posture, complete the\nfollowing steps: \n\nConsole\n\n1. In the Google Cloud console, go to the **Feature Manager** page.\n\n [Go to Feature Manager](https://console.cloud.google.com/kubernetes/features/overview)\n2. In the **Security Posture** pane, click **Configure**.\n\n3. Review your fleet-level settings. All new clusters you register to the\n fleet inherit these settings.\n\n4. Optional: To change the default settings, click **Customize fleet\n settings** . In the **Customize fleet default configuration** dialog that\n appears, do the following:\n\n 1. For **Configuration audit** , choose if [configuration auditing](/kubernetes-engine/docs/concepts/about-configuration-scanning) should be enabled or disabled.\n 2. For **Vulnerability scanning** (Deprecated), select the level of [vulnerability scanning](/kubernetes-engine/docs/concepts/about-workload-vulnerability-scanning) that you want; **Disabled** , **Basic** , or **Advanced (recommended)**.\n 3. Click **Save**.\n\n If you later disable fleet-level configuration for these features, your\n current workloads in existing member clusters are still scanned and you\n can see the security concerns on the security posture dashboard.\n However, any new clusters you create in that fleet won't be scanned for\n concerns, unless you enable the security posture features on them\n individually.\n5. To apply the setting to new clusters, click **Configure**.\n\n6. In the confirmation dialog, click **Confirm**.\n\n7. Optional: Sync existing clusters to the default settings:\n\n 1. In the **Clusters in the fleet** list, select the clusters that you want to sync.\n 2. Click **Sync to fleet settings** and click **Confirm** in the confirmation dialog that appears. This operation can take a few minutes to complete.\n\ngcloud\n\nMake sure that you have\n[gcloud CLI version 455.0.0](/sdk/docs/install) or later.\n\nConfigure defaults for a new fleet\n\nYou can [create an empty fleet](/kubernetes-engine/fleet-management/docs/fleet-creation#optional_create_an_empty_fleet)\nwith the security posture dashboard features you want enabled.\n\n- To create a fleet with workload configuration auditing enabled, run the\n following command:\n\n gcloud container fleet create --security-posture standard\n\nConfigure defaults for an existing fleet\n\n- To enable workload configuration auditing on an existing fleet, run the\n following command:\n\n gcloud container fleet update --security-posture standard\n\nDisable security posture dashboard features at fleet level\n\n- To disable workload configuration auditing, run the following command:\n\n gcloud container fleet update --security-posture disabled\n\n- To disable workload vulnerability scanning, run the following command:\n\n gcloud container fleet update --workload-vulnerability-scanning disabled\n\nIf you disable fleet-level configuration for these features, your current\nworkloads in existing member clusters are still scanned and you can see the\nsecurity concerns on the security posture dashboard. However, any new\nclusters you create in that fleet won't be scanned for concerns, unless you\nenable the security posture features on them individually.\n\nWhat's next\n\n- Learn about the range of Google Cloud features to [secure your clusters and workloads](/kubernetes-engine/docs/concepts/security-overview).\n- Learn how [workload configuration auditing](/kubernetes-engine/docs/concepts/about-configuration-scanning) detects common security configuration concerns."]]
