Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable and Configure Security Posture

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: GKE-027

Ensure that Security Posture is enabled for your Google Kubernetes Engine (GKE) clusters. The security posture dashboard provides insights about your workload security posture at the runtime phase of the software delivery life-cycle.

This rule resolution is part of the Conformity solution.

Security

GKE security posture configuration auditing checks your workloads against a set of defined best practices. Each configuration check has its own impact or risk. For example, the host namespace check identifies pods that share host namespaces. Pods that share host namespaces allow Pod processes to communicate with host processes and gather host information, which could lead to a container escape.

GKE security posture has multiple features. Not all are on by default. Configuration auditing is enabled by default for new standard and autopilot clusters.
securityPostureConfig: mode: BASIC

Audit

To determine if Security Posture dashboard is enabled for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, check the Security posture attribute value to determine the Security Posture feature status. If Security posture is set to Disabled, the Security Posture dashboard is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

08 Repeat steps no. 5 – 7 for each GKE cluster provisioned within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS: 

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project: 

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions: 

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter to determine the Security Posture configuration status: 

gcloud container clusters describe cc-gke-backend-cluster
	--location=us-central1
	--project=cc-web-project-123123
	--format=json | jq '.securityPostureConfig'

06 The command output should return the Security Posture configuration for the selected GKE cluster: 

{
	"mode": "DISABLED",
	"vulnerabilityMode": "VULNERABILITY_DISABLED"
}

If the mode value is DISABLED, the Security Posture is not enabled for the selected Google Kubernetes Engine (GKE) cluster. The mode should be BASIC or ENTERPRISE.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable and configure the Security Posture dashboard for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, click on the Edit security posture button (i.e., pencil icon) available next to Security posture to modify the feature settings.

08 Inside the Edit security posture configuration box, check the Enable security posture setting checkbox and select SAVE CHANGES to apply the changes.

09 Repeat steps no. 5 – 8 for each GKE cluster that you want to configure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) to enable Security Posture for an existing GKE cluster. You can choose between two modes: standard (Basic tier) or enterprise (Advanced tier): 

gcloud container clusters update cc-gke-backend-cluster
	--location=us-central1
	--security-posture=standard

For new clusters, add the --security-posture=standard or --security-posture=enterprise flag when creating the cluster.

02 The command output should return the full URL of the modified GKE cluster: 

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Dec 2, 2024

Related GKE rules