GKE shared responsibility

This document explains the shared security responsibilities for both Google andGoogle Cloud customers. Running a business-critical application on Google Kubernetes Engine (GKE) requiresmultiple parties to have different responsibilities. Although this document is not an exhaustivelist, this document can help you understand your responsibilities.

This document is for Security specialistswho define, govern and implement policies and proceduresto protect an organization's data from unauthorized access. To learn more aboutcommon roles and example tasks that we reference in Google Cloud content, seeCommon GKE user roles and tasks.

Google's responsibilities

Customer's responsibilities

  • Maintain your workloads, including your application code, build files,container images, data, Role-based access control (RBAC)/IAMpolicy, and containers and pods that you are running.
  • Rotate your clusters credentials.
  • Keep Standard node pools enrolled inautomatic upgrades.
  • In the following situations, manually upgrade your clusters and node poolsto remediate vulnerabilities within your organization's patching timelines:
    • Auto-upgrades are postponed because of factors like maintenancepolicies.
    • You need to apply a patch before it becomes available in your selectedrelease channel. For more information, seeRun patch versions from a newer channel.
  • Monitor the cluster and applications and respond to any alerts andincidents using technologies such as thesecurity posture dashboard andGoogle Cloud Observability.
  • Provide Google with environmental details when requested for troubleshootingpurposes.
  • Ensure Logging and Monitoring areenabled on clusters.If you don't enable Logging andMonitoring, and if support personnel can't access those logs,support is available on a best-effort basis.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.