Vulnerability scanning removal from GKE

Autopilot Standard

This page describes the removal of vulnerability scanning capabilities from theGoogle Kubernetes Engine (GKE) security posture dashboard.

About vulnerability scanning

The GKE security posture dashboard lets you monitor eligibleworkloads for issues like security misconfigurations and known vulnerabilities.Workload vulnerability scanning uses the followingtiers, each of whichscans specific parts of your running containers:

Workload vulnerability scanning - standard tier: scan the containerOS for vulnerabilities.
Advanced Vulnerability Insights: scan the container OS and languagepackages for vulnerabilities.

Timeline and milestones

The workload vulnerability scanning removal has the following major milestones:

July 31, 2025: the standard tier of vulnerabilityscanning is shutdown. Results for these scans no longer display in theGoogle Cloud console. You no longer see an option to enable or disablevulnerability scanning for GKE in the Google Cloud console.
June 16, 2025: Advanced Vulnerability Insightsis deprecated. Scan results still display in the GKEsecurity posture dashboard. Informational messages about the deprecationdisplay in the Google Cloud console.
June 16, 2026: Advanced Vulnerability Insights resultsno longer display in the Google Cloud console.

Impact to workloads and clusters

Key Point: No disruptions occur in your workloads and clusters. Vulnerabilityscanning is a monitoring capability that doesn't interact directly with yourrunning workloads.

The removal of workload vulnerability scanning capabilities won't result inworkload or cluster disruptions. If you take no action by the dates in thepreceding section, the only changes that occur are as follows:

TheSecurity Posture page in the Google Cloud console doesn't displaynew vulnerability scanning results.
If the vulnerability scanning tier is deprecated, you can't enable that tierin clusters.
If the vulnerability scanning tier is removed, you can't view historicalresults for that tier.
You can't view existing scan results in the security posture dashboard .
Workload vulnerability scanning is disabled in existing clusters that use thefeature.

Existing logs in Cloud Logging remain in the_Default log bucket for theconfigured log retention period.

What you can do

To scan images for vulnerabilities after workload vulnerability scanning isremoved, consider the following options:

Artifact Analysis has automatic or on-demand vulnerabilityscanning options for container images in Artifact Registry. For details, seeContainer scanning overview.
Security Command Center can assess the images of deployed Pods for vulnerabilities. Formore information, see the following security sources:
- Artifact Registry vulnerability assessment(Preview).
- Vulnerability Assessment for Google Cloud.(Preview).

Disable vulnerability scanning

To stop using vulnerability scanning in your clusters prior to the removal inthe GKE Standard edition, seeDisable workload vulnerability scanning.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-06 UTC.