Views:
Profile applicability: Level 2
The security posture dashboard provides insights about your workload security posture at the runtime phase of the software delivery life-cycle.
The security posture dashboard provides insights about your workload security posture at the runtime phase of the software delivery life-cycle.
Note
Note
GKE security posture has multiple features. Not all are on by default. Configuration auditing is enabled by default for new standard and autopilot clusters. securityPostureConfig: mode: BASIC

Impact

GKE security posture configuration auditing checks your workloads against a set of defined best practices. Each configuration check has its own impact or risk. Learn more about the checks: About Kubernetes security posture scanning and Automatically audit workloads for configuration issues
Example: The host namespace check identifies pods that share host namespaces. Pods that share host namespaces allow Pod processes to communicate with host processes and gather host information, which could lead to a container escape

Audit

Define 3 variables for Cluster Name, Location and Project, then run this command:
gcloud container clusters describe $CLUSTER_NAME --location $LOCATION -- 
project $PROJECT_ID --format json | jq '.securityPostureConfig'
Sample output from command line statement:
{ "mode": "BASIC", "vulnerabilityMode": "VULNERABILITY_DISABLED" }
The output of Mode should be BASIC or ENTERPRISE.

Remediation

To enable Security Posture for a new cluster, be sure to add --security- posture=standard or --security-posture=enterprise when creating.
To update Security Posture for an existing cluster, run the following command:
gcloud container clusters update CLUSTER_NAME \ 
    --location=CONTROL_PLANE_LOCATION \ 
    --security-posture=standard
Replace the following:
  • CLUSTER_NAME: the name of your cluster.
  • CONTROL_PLANE_LOCATION: the location of the control plane of your cluster. Provide a region for regional Standard and Autopilot clusters, or a zone for zonal Standard clusters.
For console users follow the numbered steps in the console tab using the link provided: Enable configuration auditing on an existing cluster.