Enable and Configure Security Posture

Risk Level: Medium (should be achieved)

Ensure that Security Posture dashboard is enabled for your Google Kubernetes Engine (GKE) clusters. This feature integrates with other cloud services such as Cloud Logging, Policy Controller, and Binary Authorization to provide visibility into vulnerabilities, misconfigurations, and compliance risks, helping to enhance cluster security and maintain regulatory compliance.

Security

Security Posture configuration auditing evaluates your GKE workloads against a set of defined best practices. It provides a centralized view of potential security vulnerabilities within your GKE clusters, enabling you to identify and address security concerns before they escalate into critical issues. This proactive approach ensures a secure containerized environment and safeguards your applications.

Security Posture is only available for GKE clusters enabled with the Google Kubernetes Engine (GKE) Enterprise edition.

Audit

To determine if Security Posture dashboard is enabled for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, check the Security posture attribute value to determine the Security Posture feature status. If Security posture is set to Disabled, the Security Posture dashboard is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

08 Repeat steps no. 5 – 7 for each GKE cluster provisioned within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS:

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project:

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions:

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter and custom output filters to determine the Security Posture dashboard configuration status, available for the selected cluster:

gcloud container clusters describe cc-gke-backend-cluster
	--region=us-central1
	--format="value(securityPostureConfig.mode)"

06 The command output should return the Security Posture mode (tier) configured for the selected GKE cluster:

DISABLED

If the container clusters describe command output returns DISABLED, as shown in the example above, the Security Posture dashboard is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable and configure the Security Posture dashboard for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, click on the Edit security posture button (i.e., pencil icon) available next to Security posture to modify the feature settings.

08 Inside the Edit security posture configuration box, check the Enable security posture setting checkbox, choose the Security Posture mode (tier) that you want to use for your workloads, and select SAVE CHANGES to apply the changes. You can choose between two tiers: Basic, which checks your workloads against Pod security standards and GKE security bulletins, and Advanced, which adds threat detection on top of the features available in the Basic tier.

09 Repeat steps no. 5 – 8 for each GKE cluster that you want to configure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to enable the Security Posture dashboard for your GKE cluster. You can choose between two tiers (modes): Basic, which checks your workloads against Pod security standards and GKE security bulletins, and Advanced, which adds threat detection on top of the features available in the Basic tier. To use the Basic tier, set the --security-posture parameter to standard. To use the Advanced tier, set --security-posture to enterprise, as shown in the example below:

gcloud container clusters update cc-gke-backend-cluster
	--region=us-central1
	--security-posture=enterprise

02 The command output should return the full URL of the modified GKE cluster:

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Security overview
About the security posture dashboard
Automatically audit workloads for configuration issues
Overview of Event Threat Detection
Security bulletins

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud container clusters list
gcloud container clusters describe
gcloud container clusters update

Publication date Dec 2, 2024

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related GKE rules