This page shows you how to automatically audit your workload configurations forsecurity concerns and get actionable recommendations to improve the securityposture of your Google Kubernetes Engine (GKE) Autopilot andStandard clusters. This guides you through how to enable workloadconfiguration auditing, deploy a test workload, view and action configurationaudit results, and disable workload configuration auditing. It also covers thepricing, requirements, and limitations of workload configuration auditing.

This page is for Security specialists who monitor the security of theirGKE clusters and want to learn more about how to automaticallyaudit workload configurations in GKE Autopilot andStandard clusters. To learn more aboutcommon roles and example tasks that we reference in Google Cloud content, seeCommon GKE user roles and tasks.

Before reading this page, because workload configuration auditing is a feature of thesecurity posture dashboard, ensure that you're familiar with the following concepts:

• General overview of the security posture dashboard
• About workload configuration auditing

Pricing

The security posture dashboard is offered at no extra charge inGKE through the Container Security API.

Entries added to Cloud Logging useCloud Logging pricing.

Before you begin

Before you start, make sure that you have performed the following tasks:

• Enable the Google Kubernetes Engine API.
Enable Google Kubernetes Engine API
• If you want to use the Google Cloud CLI for this task,install and theninitialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running thegcloud components update command. Earlier gcloud CLI versions might not support running the commands in this document.Note: For existing gcloud CLI installations, make sure to set thecompute/regionproperty. If you use primarily zonal clusters, set thecompute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following:One of [--zone, --region] must be supplied: Please specify location. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.

• Enable the Container Security API.

  EnableContainer Security API

• Ensure that you have an Autopilot or Standard cluster thatruns version 1.21 or later. To create a new cluster, seeCreating an Autopilot cluster.

Requirements

• To get the permissions that you need to use workload configuration auditing, ask your administrator to grant you theSecurity Posture Viewer (roles/containersecurity.viewer) IAM role on your Google Cloud project. For more information about granting roles, seeManage access to projects, folders, and organizations.

  This predefined role contains the permissions required to use workload configuration auditing. To see the exact permissions that are required, expand theRequired permissions section:

  Required permissions

  The following permissions are required to use workload configuration auditing:

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • containersecurity.locations.list
  • containersecurity.locations.get
  • containersecurity.clusterSummaries.list
  • containersecurity.findings.list

  You might also be able to get these permissions withcustom roles or otherpredefined roles.

• Workload configuration auditing requires GKE version 1.21and later.

Enable workload configuration auditing

Workload configuration auditing is enabled by default in new Autopilot andStandard clusters running version 1.27 and later. You can also manually enable this featureusing the gcloud CLI or the Google Cloud console.

Enable configuration auditing on an existing cluster

gcloudcontainerclustersupdateCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION\--security-posture=standard

You can alsoconfigure fleet-level configuration auditing settings that apply to all memberclusters. For instructions, seeConfigure GKE security posture dashboard features at fleet-level.

Deploy a test workload

Deploy a sample application that intentionally violates the Pod SecurityStandards.

1. Save the following manifest asmisconfig-sample.yaml:

   apiVersion:apps/v1kind:Deploymentmetadata:name:helloweblabels:app:hellospec:selector:matchLabels:app:hellotier:webtemplate:metadata:labels:app:hellotier:webspec:containers:-name:hello-appimage:us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0ports:-containerPort:8080securityContext:runAsNonRoot:falseresources:requests:cpu:200m

2. Deploy the application to your cluster:

   kubectlapply-fmisconfig-sample.yaml

If you want to try other violations, modifymisconfig-sample.yamlwith the corresponding "bad" configuration.

View and action configuration audit results

The initial audit takes up to 15 minutes to return results. GKEdisplays the results on the security posture dashboard andautomatically adds entries to the cluster logs.

View results

To see an overview of discovered concerns across your project's clusters andworkloads, do the following:

1. Go to theSecurity Posture page in the Google Cloud console.

   Go to Security Posture

2. Click theConcerns tab.

3. In theFilter concerns pane, in theConcern type section, select theConfiguration checkbox.

View concern details and recommendations

To view detailed information about a specific configuration concern, click the rowcontaining that concern.

TheConfiguration Concern pane shows the following information:

• Description: a description of the concern.
• Recommended action: an overview of actions that you can take to fix theconfiguration issue. This section includes the following details:
  • Which resources need the fix
  • Sample commands that you can run to apply the fix to affected resources
  • The Google Cloud console instructions, if applicable, to fix the issue

View logs for discovered concerns

GKE adds entries to the_Default log bucket in Logging for each discovered concern. These logs are only retained for a specific period. For details, seeLogs retention periods.

1. In the Google Cloud console, go to theLogs Explorer:

   Go to Logs Explorer

2. In theQuery field, specify the following query:

   resource.type="k8s_cluster"jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding"jsonPayload.type="FINDING_TYPE_MISCONFIG"

3. ClickRun query.

To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, seeConfigure log-based alerts.

Clean up

1. Delete the sample workload that you deployed.

   kubectldeletedeploymenthelloweb

2. Optionally, delete the cluster that you used.

   gcloudcontainerclustersdeleteCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION

Disable workload configuration auditing

You can disable workload configuration auditing using either the gcloud CLIor the Google Cloud console.

gcloudcontainerclustersupdateCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION\--security-posture=disabled

Limitations of workload configuration auditing

• Windows Server node pools aren't supported.
• Workload configuration auditing doesn't scan GKE-managedworkloads, such as workloads in thekube-system namespace.
• Workload configuration auditing is only available for clusters with lessthan 1,000 nodes.

• The security posture dashboard supports up to 150,000 activeworkload configuration auditing findings for each cluster. When the numberof findings for a cluster exceeds this maximum, thesecurity posture dashboard stops showing configuration findings for thatcluster.

  To resolve this issue, use the logs in Logging to identifyconfiguration issues and deploy updated manifests. When the number ofconfiguration findings is less than 150,000, thesecurity posture dashboard starts displaying findings for the cluster.

What's next

• Learn more about the security posture dashboard.
• Learn more about how configuration auditing works.
• Learn how to secure your clusters based on Google's recommendations.