This page provides an overview of the security posture dashboard in theGoogle Cloud console, which provides you with opinionated, actionablerecommendations to improve your security posture. To explore the dashboardyourself, go to theSecurity Posture page in the Google Cloud console.

When to use the security posture dashboard

You should use the security posture dashboard if you're a clusteradministrator or a security administrator who wants to automate detection andreporting of common security concerns across multiple clusters and workloads,with minimal intrusion and disruption to your running applications. Thesecurity posture dashboard integrates with products such as Cloud Logging,and Policy Controller to improve your visibility into yoursecurity posture.

If you use VPC Service Controls, you can alsoupdate your perimetersto protect the security posture dashboard by addingcontainersecurity.googleapis.com to the list of services.

The security posture dashboard doesn't change any of our responsibilities or yourresponsibilities under theshared responsibility model.You're still responsible for protecting your workloads.

Usage as part of a broad security strategy

The security posture dashboard provides insights about your workloadsecurity posture at theruntime phase of the software delivery lifecycle. Togain comprehensive coverage of your applications throughout the lifecycle fromsource control to maintenance, we recommend that you use the dashboard with othersecurity tooling.

GKE offers the security posture dashboard to monitorsecurity in the Google Cloud console.

For more details about other available tooling and for bestpractices to safeguard your applications from end to end, seeProtect your software supply chain.

We also strongly recommend that you implement as many recommendationsas possible fromHarden your cluster security.

How the security posture dashboard works

To use the security posture dashboard, enable the Container Security APIin your project. The dashboard shows you insights from capabilities that arebuilt into GKE and from certain Google Cloud securityproducts running in your project.

Cluster-specific feature enablement

The GKE-specific capabilities in the security posture dashboardare categorized as follows:

• Kubernetes security posture: The security posture of Kubernetes objectsand resources in the cluster, such as Pod specifications. For details, seeAbout Kubernetes security posture scanning.

• Workload vulnerability scanning: The security posture of the containeroperating system and application language packages. For details, seeAbout workload vulnerability scanning.

  Caution: Starting on July 23, 2024, container OS vulnerability scanning is deprecated and is scheduled for shutdown on July 31, 2025. Starting on June 16, 2025, Advanced Vulnerability Insights is deprecated and is scheduled for shutdown on June 16, 2026. For more information about deprecation and shutdown dates, seeVulnerability scanning removal from GKE.

The following table describes the cluster-specific features:

Feature name	Availability	Included capabilities
Kubernetes security posture - standard tier	Requires GKE version 1.27 or later. Enabled by default in all new clusters.	Automatic scanning of workloads for configuration concerns Actionable security bulletin surfacing
Workload vulnerability scanning - standard tier	Disabled by default in all new clusters. Caution: Starting on July 23, 2024, container OS vulnerability scanning is deprecated and is scheduled for shutdown on July 31, 2025. Starting on June 16, 2025, Advanced Vulnerability Insights is deprecated and is scheduled for shutdown on June 16, 2026. For more information about deprecation and shutdown dates, seeVulnerability scanning removal from GKE.	Automatic scanning of container images for actionable vulnerabilities
Workload vulnerability scanning - advanced vulnerability insights	Disabled by default in all new clusters. Caution: Starting on July 23, 2024, container OS vulnerability scanning is deprecated and is scheduled for shutdown on July 31, 2025. Starting on June 16, 2025, Advanced Vulnerability Insights is deprecated and is scheduled for shutdown on June 16, 2026. For more information about deprecation and shutdown dates, seeVulnerability scanning removal from GKE.	Automatic scanning of container images for actionable vulnerabilities Automatic scanning of application language packages for vulnerabilities

You can enable these features for standalone GKE clusters orfleet member clusters.The security posture dashboard lets you observe all your clusterssimultaneously, including all fleet members in your fleet host project.

Integration with Security Command Center

If you activate Security Command Center in your organization or project, then yousee security posture dashboard findings in Security Command Center. For moredetails about Security Command Center findings that appear on thesecurity posture dashboard, seeSecurity sources.

Important: Security bulletin findings that are published in Security Command Centerdon't include acve field that lists the associated CVEs. To view the CVEs, check the finding'sdescription field, or review the security bulletin in the security posture dashboard.

Also, if you activate the Premium or Enterpriseservice tier ofSecurity Command Center in your organization or project, then thesecurity posture dashboard shows the following additional panes:

• Top threats: summarizes the top threats that affect your GKEworkloads, grouped by severity and category.
• Top software vulnerabilities (Preview):lists the top CVEs that are associated with Security Command Center findings foryour GKE workloads.

To activate the Security Command Center Premium tier in your project, do thefollowing:

1. In the Google Cloud console, go to theGKE Security Posture page.

   Go to GKE Security Posture

2. Find theSample threats pane. This pane shows examples of the types ofsecurity findings that you might see after you enable Security Command Center.These examples don't represent actual security issues in your project.

   If you see a pane titledTop threats, then Security Command Center is alreadyactivated. You can skip the remaining steps.

3. In theSample threats pane, clickTry security scanning for free.The activation pane opens.

4. ClickStart free trial.

Note: Some Security Command Center features require you toactivate the Enterprise tier,or toactivate the Premium tier for an organization.

After you activate Security Command Center, it starts to analyze, or scan, yourGKE workloads and your resources for other Google Cloudservices. This initial scan isusually complete within minutes or hours.

Benefits of the security posture dashboard

The security posture dashboard is a foundational security measure that youcan enable for any eligible GKE cluster. Google Cloudrecommends using the security posture dashboard for all your clusters forthe following reasons:

• Minimal disruptions: Features don't interfere with or disrupt runningworkloads.
• Actionable recommendations: When available, the security posture dashboardprovides action items to fix discovered concerns. These actions includecommands that you can run and examples of configuration changes to make.
• Visualization: The security posture dashboard provides ahigh-level visualization of concerns affecting clusters across your project,and includes charts and graphs to show the progress you've made and thepotential impact of each concern.
• Opinionated results: GKE assigns aseverity rating to discovered concerns based on theexpertise of our security teams and industry standards.
• Auditable event logs: GKE adds all discovered concerns toLogging for better reportability and observability.
• Fleet observability: If you've registered GKE clusters toafleet, the dashboard letsyou observe all of your project's clusters, including fleet member clustersand any standalone GKE clusters in the project.

GKE security posture dashboard pricing

The pricing for the capabilities of the security posture dashboard isas follows, applicable to standalone GKE clusters and fleetGKE clusters:

GKE security posture dashboard pricing
Workload configuration auditing	No extra charge
Security bulletin surfacing	No extra charge
(Deprecated) Container OS vulnerability scanning	No extra charge
(Deprecated) Advanced vulnerability insights	Uses Artifact Analysis pricing. For details, on the Artifact Analysis pricing page, seeAdvanced vulnerability insights.
Security Command Center findings	UsesSecurity Command Center pricing.

Entries that are added to Cloud Logging useCloud Logging pricing. However,depending on the scale of your environment and the number of concernsdiscovered, you might not exceed the free ingestion and storage allotments forLogging. For details, seeLogging pricing.

Manage fleet security posture

If you usefleets withGKE, you can configure GKE security posturefeatures at the fleet level using the gcloud CLI. GKEclusters that you register as fleet members during cluster creation automaticallyinherit the security posture configuration. Clusters that were already fleetmembers before you changed the security posture configuration don't inherit thenew configuration. This inherited configuration overrides the default settingsthat GKE applies to new clusters.

To learn how to change your fleet-level security posture configuration, seeConfigure GKE security posture dashboard features at fleet-level.

About the Security Posture page

The Security Posture page in the Google Cloud console has thefollowing tabs:

• Dashboard: a high-level representation of the results of your scans.Includes charts and feature-specific information.
• Concerns: a detailed, filterable view of any concerns discovered byGKE across your clusters and workloads. You canselect individual concerns for details and mitigation options.
• Settings: manage the security posture feature configuration forindividual clusters or for fleets.

Dashboard

TheDashboard tab provides a visual representation of the results ofvarious GKE security posture scans and information from otherGoogle Cloud security products that are enabled in your project. Fordetails about the available scanning capabilities and other supported securityproducts, seeHow the security posture dashboard works in this document.

If you use fleets with GKE, the dashboard alsodisplays any discovered concerns for clusters includingclusters in the project's fleet and standalone clusters. To switch thedashboard to view the posture of a specific fleet, select the host project forthat fleet from the project selector drop-down menu in the Google Cloud console. Ifthe selected project has the Container Security API enabled, thedashboard shows results for all member clusters of that project's fleet.

Concerns

TheConcerns tab lists active security concerns that GKEdiscovers when scanning your clusters and workloads. This page only displaysconcerns for the security posture features described inCluster-specific feature enablement in this document.If you use fleets with GKE, you can see concerns forfleet member clusters and for standalone GKE clusters that theselected project owns.

Severity ratings

Where applicable, GKE assigns a severity rating to discoveredconcerns. You can use these ratings to determine the urgency with which you needto resolve the finding. GKE uses the following severity ratings,which are based on theCVSS Qualitative Severity Rating Scale:

• Critical: Act immediately. An attack will lead to an incident.
• High: Act promptly. An attack will very likely lead to an incident.
• Medium: Act soon. An attack will likely lead to an incident.
• Low: Act eventually. An attack could lead to an incident.

The precise speed of your response to concerns depends on your organization'sthreat model and risk tolerance. The severity ratings are a qualitativeguideline to help you to develop a thorough incident response plan.

Concerns table

TheConcerns table shows all the concerns detected byGKE. You can change the default view to group resultsby the type of concern, Kubernetes namespace, or by the affected workloads. You canuse the filter pane to filter the results by severity rating, type of concern,Google Cloud location, and cluster name. To view details about a specificconcern, click the name of that concern.

Concern details pane

When you click a concern in theConcerns table, the concern details paneopens. This pane provides a detailed description of the concern, and relevantinformation such as affected OS versions for vulnerabilities, CVE links, orrisks associated with a specific configuration concern. The details paneprovides a recommended action if applicable. For example, a workload that setsrunAsNonRoot: false would return the recommended change you need to make tothe Pod specification to mitigate the concern.

TheAffected resources tab in the concern details pane shows a list ofworkloads in your enrolled clusters that are affected by that concern.

Settings

TheSettings tab lets you configure cluster-specific security posture features,like workload configuration auditing, oneligible GKE clusters in your project or fleet. You can view theenablement status of specific features for each cluster and change thatconfiguration for eligible clusters. If you use fleets withGKE, you can also see whether your fleet memberclusters have the same settings as the fleet-level configuration.

Example workflow

This section is an example of the workflow for a cluster administrator who wantsto scan workloads in a cluster for security configuration issues, such as rootprivileges.

1. Enroll the cluster in Kubernetes security posture scanning by using theGoogle Cloud console.
2. Check the security posture dashboard for scan results, which mighttake up to 30 minutes to appear.
3. Click theConcerns tab to open the detailed results.
4. Select theConfiguration concern type filter.
5. Click a concern in the table.
6. On the concern details pane, note the recommended configuration change andupdate the Pod specification with the recommendation.
7. Apply the updated Pod specification to the cluster.

The next time that the scan runs, the security posture dashboard no longerdisplays the concern that you fixed.

What's next

• Learn more about workload configuration auditing
• Learn how to enable automatic scanning of your workloads for configuration concerns