This document explains the shared security responsibilities for both Google andGoogle Cloud customers. Running a business-critical application on Google Kubernetes Engine (GKE) requiresmultiple parties to have different responsibilities. Although this document is not an exhaustivelist, this document can help you understand your responsibilities.

This document is for Security specialistswho define, govern and implement policies and proceduresto protect an organization's data from unauthorized access. To learn more aboutcommon roles and example tasks that we reference in Google Cloud content, seeCommon GKE user roles and tasks.

Google's responsibilities

• Protecting the underlying infrastructure, including hardware, firmware,kernel, OS, storage, network, and more. This includesencrypting data at rest by default,providingadditional customer-managed disk encryption,encrypting data in transit,usingcustom-designed hardware,layingprivate network cables,protecting data centers from physical access, protecting the bootloader andkernel against modification usingShielded Nodes,and following secure software development practices.
• Hardening andpatching the nodes' operating system, such as Container-Optimized OS orUbuntu. GKE promptly makes any patches to these imagesavailable. If you have auto-upgrade enabled, or are using arelease channel,these updates are automatically deployed. This is the OS layer underneathyour container—it's not the same as the operating system running in yourcontainers.
• Building and operating threat detection for container-specific threatsinto the kernel withContainer Threat Detection (priced separately with Security Command Center).
• Hardening andpatching Kubernetes node components. All GKE managed components are upgradedautomatically when you upgrade GKE node versions. This includes:
  • vTPM-backed trusted bootstrap mechanism for issuing kubelet TLS certificates and auto-rotation of the certificates
  • Hardened kubelet configurationfollowing CIS benchmarks
  • GKE metadata server forWorkload identity
  • GKE's nativeContainer Network Interface plugin and Calico for NetworkPolicy
  • GKE Kubernetes storage integrations such as theCSI driver
  • GKElogging and monitoring agents
• Hardening andpatching the control plane. The control plane includes the control plane VM, APIserver, scheduler, controller manager,cluster CA, TLS certificate issuance and rotation, root-of-trust key material,IAM authenticator and authorizer, audit loggingconfiguration, etcd, and various other controllers. All of your controlplane components run on Google-operated Compute Engine instances. Theseinstances are single tenant, meaning each instance runs the control planeand its components for only one customer.
• Provide Google Cloud integrations for Connect,Identity and Access Management, Cloud Audit Logs, Google Cloud Observability,Cloud Key Management Service, Security Command Center, and others.
• Restrict and log Google administrative access to customer clusters forcontractual support purposes withAccess Transparency.

Customer's responsibilities

• Maintain your workloads, including your application code, build files,container images, data, Role-based access control (RBAC)/IAMpolicy, and containers and pods that you are running.
• Rotate your clusters credentials.
• Keep Standard node pools enrolled inautomatic upgrades.
• In the following situations, manually upgrade your clusters and node poolsto remediate vulnerabilities within your organization's patching timelines:
  • Auto-upgrades are postponed because of factors like maintenancepolicies.
  • You need to apply a patch before it becomes available in your selectedrelease channel. For more information, seeRun patch versions from a newer channel.
• Monitor the cluster and applications and respond to any alerts andincidents using technologies such as thesecurity posture dashboard andGoogle Cloud Observability.
• Provide Google with environmental details when requested for troubleshootingpurposes.
• Ensure Logging and Monitoring areenabled on clusters.If you don't enable Logging andMonitoring, and if support personnel can't access those logs,support is available on a best-effort basis.

What's next

• Read the GKESecurity overview.