Configure GKE security posture dashboard features at the fleet level
This page explains how to configure fleet-level default settings for theGoogle Kubernetes Engine (GKE)security posture dashboard.The security posture dashboardprovides you with opinionated and actionable recommendations to improve yourclusters' security posture. Youcan enable settings for the security posture dashboard at the fleet level.
You can create fleet-level defaults for thesecurity posture dashboard settings ofKubernetes security posture scanning.
This page is for Security specialists who want to implement first-partyvulnerability detection solutions across a fleet of clusters. To learn more aboutcommon roles and example tasks that we reference in Google Cloud content, seeCommon GKE user roles and tasks.
Before reading this page, ensure that you're familiar with the general overviewofworkload vulnerability scanning.
To learn how to configure these settings for individual clusters, see thefollowing resources:
- Automatically audit workloads for configuration issues
- Automatically scan workloads for known vulnerabilities(Deprecated)
Configure fleet-level defaults
This section describes how to configure security posture dashboard featuresas fleet-level defaults. Any new clusters that you register to a fleet duringcluster creation have your specified security posture features enabled.The fleet-level default settings that you configure take priority over anydefault GKE security posture settings. To view the defaultsettings that apply to your edition of GKE, see theCluster-specific features table.
To configure fleet-level defaults for security posture, complete thefollowing steps:
Console
In the Google Cloud console, go to theFeature Manager page.
In theSecurity Posture pane, clickConfigure.
Review your fleet-level settings. All new clusters you register to thefleet inherit these settings.
Optional: To change the default settings, clickCustomize fleetsettings. In theCustomize fleet default configuration dialog thatappears, do the following:
- ForConfiguration audit, choose ifconfiguration auditingshould be enabled or disabled.
- ForVulnerability scanning (Deprecated), select the level ofvulnerability scanningthat you want;Disabled,Basic, orAdvanced (recommended).
- ClickSave.
If you later disable fleet-level configuration for these features, yourcurrent workloads in existing member clusters are still scanned and youcan see the security concerns on the security posture dashboard.However, any new clusters you create in that fleet won't be scanned forconcerns, unless you enable the security posture features on themindividually.
To apply the setting to new clusters, clickConfigure.
In the confirmation dialog, clickConfirm.
Optional: Sync existing clusters to the default settings:
- In theClusters in the fleet list, select the clusters that you wantto sync.
- ClickSync to fleet settings and clickConfirm in theconfirmation dialog that appears. This operation can take a few minutesto complete.
gcloud
Make sure that you havegcloud CLI version 455.0.0 or later.
Configure defaults for a new fleet
You cancreate an empty fleetwith the security posture dashboard features you want enabled.
To create a fleet with workload configuration auditing enabled, run thefollowing command:
gcloudcontainerfleetcreate--security-posturestandard
Configure defaults for an existing fleet
To enable workload configuration auditing on an existing fleet, run thefollowing command:
gcloudcontainerfleetupdate--security-posturestandard
Disable security posture dashboard features at fleet level
To disable workload configuration auditing, run the following command:
gcloudcontainerfleetupdate--security-posturedisabledTo disable workload vulnerability scanning, run the following command:
gcloudcontainerfleetupdate--workload-vulnerability-scanningdisabled
If you disable fleet-level configuration for these features, your currentworkloads in existing member clusters are still scanned and you can see thesecurity concerns on the security posture dashboard. However, any newclusters you create in that fleet won't be scanned for concerns, unless youenable the security posture features on them individually.
What's next
- Learn about the range of Google Cloud features tosecure your clusters and workloads.
- Learn howworkload configuration auditing detects common security configuration concerns.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.