Integrate Google Kubernetes Engine with Google SecOps

Integration version: 7.0

This document explains how to configure and integrate Google Kubernetes Engine (GKE) with Google Security Operations (Google SecOps).

Use cases

The GKE integration can help you address the following use cases:

Cluster inventory: use the Google SecOps capabilities to automatically retrieve a list of all GKE clusters within a specified location. This helps security teams to maintain an up-to-date inventory of their Kubernetes infrastructure.
Dynamic auto scaling: use the Google SecOps capabilities to automatically adjust the size of node pools in response to security events or operational alerts, ensuring optimal performance.
Label-based isolation: use the Google SecOps capabilities to automatically apply labels to GKE clusters based on security policies or incident response procedures.
Add-on configuration adjustment: use the Google SecOps capabilities to automatically enable or disable GKE add-ons based on security best practices. Disabling insecure add-ons can reduce the attack surface.
Operation status monitoring: use the Google SecOps capabilities to automatically monitor the status of GKE operations that are triggered by security playbooks or incident response workflows. This lets security analysts monitor remediation progress and check the status of ongoing operations.

Before you begin

To use the integration, you need a custom Identity and Access Management (IAM) role and a Google Cloud service account. You can use an existing service account or create a new one.

Create and configure an IAM role

To create and configure a custom IAM role for the integration, complete the following steps:

In the Google Cloud console, go to the IAM Roles page.

Go to Roles
Click Create role to create a custom role with permissions required for the integration.
For a new custom role, enter a Title, Description, and unique ID.
Set the Role Launch Stage to General Availability.
Add the following permissions to the created role:
- container.clusters.list
- container.clusters.update
- container.clusters.get
- container.operations.list
- container.operations.get
Click Create.

Create a service account

For guidance on creating a service account, see Create service accounts.
Under Grant this service account access to project, grant your service account the custom role that you created in the previous section.
If you don't run workloads on Google Cloud, you need to create a service account key in JSON after you create a service account. If you don't configure the Workload Identity Email parameter, use the full content of the downloaded JSON file when you configure the integration parameters.

For security reasons, we recommend using the workload identity email addresses instead of service account JSON keys. For more information about the workload identities, see Identities for workloads.

Integration parameters

The GKE integration requires the following parameters:

Parameters	Description
`API Root`	Optional. The GKE instance API root. The default value is `https://container.googleapis.com`.
`Account Type`	Optional. The type of GKE account. Provide the value that is set in the `type` parameter of the service account key JSON file. The default value is `service_account`.
`Project ID`	Optional. The project ID of the GKE account. Enter the value that is set in the `project_id` parameter of the authentication JSON file.
`Private Key ID`	Optional. The private key ID of the GKE account. Enter the value that is set in the `private_key_id` parameter of the authentication JSON file.
`Private Key`	Optional. The private key of the GKE account. Enter the value that is set in the `private_key` parameter of the authentication JSON file.
`Client Email`	Optional. The client email address of the GKE account. Enter the value that is set in the `client_email` parameter of the authentication JSON file.
`Client ID`	Optional. The client ID of the GKE account. Enter the value that is set in the `client_id` parameter of the authentication JSON file.
`Auth URI`	Optional. The authentication URI of the GKE account. Enter the value that is set in the `auth_uri` parameter of the authentication JSON file. The default value is `https://accounts.google.com/o/oauth2/auth`.
`Token URI`	Optional. The token URI of the GKE account. Enter the value that is set in the `token_uri` parameter of the authentication JSON file. The default value is `https://oauth2.googleapis.com/token`.
`Auth Provider X509 URL`	Optional. The authentication provider X.509 URL of the GKE account. Enter the value that is set in the `auth_provider_x509_cert_url` parameter of the authentication JSON file. The default value is `https://www.googleapis.com/oauth2/v1/certs`.
`Client X509 URL`	Optional. The client X.509 URL of the GKE account. Enter the value that is set in the `client_x509_cert_url` parameter of the authentication JSON file.
`Service Account Json File Content`	Optional. The content of the service account key JSON file. You can configure this parameter or the `Workload Identity Email` parameter or set all the preceding integration parameters. To configure this parameter, enter the full content of the service account key JSON file that you have downloaded when you created a service account. If you configure this parameter, the integration ignores other connection parameters.
`Workload Identity Email`	Optional. The client email address of your service account. You can configure this parameter or the `Service Account Json File Content` parameter. If you set this parameter, configure the `Quota Project ID` parameter. To impersonate service accounts with the Workload Identity Federation, grant the `Service Account Token Creator` role to your service account. For more details about workload identities and how to work with them, see Identities for workloads.
`Location ID`	Optional. The location ID to use in the integration. The default value is `europe-central2-a`.
`Verify SSL`	Optional. If selected, the integration validates the SSL certificate when connecting to the GKE server. Selected by default.

For instructions about how to configure an integration in Google SecOps, see Configure integrations.

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances.

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action.

Get Operation Status

Use the Get Operation Status action to retrieve the GKE operation status.

This action is asynchronous. Adjust the Google SecOps integrated development environment (IDE) for the action as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Get Operation Status action requires the following parameters:

Parameter Description

Parameter	Description
`Location`	Required. A location to retrieve the operation statuses, such as `europe-central2-a`.
`Operation Name`	Required. An operation to retrieve.
`Wait for the operation to finish`	Optional. If selected, the action waits for the results of the operation. Not selected by default.

Location

Required.

A location to retrieve the operation statuses, such as europe-central2-a.

Operation Name

Required.

An operation to retrieve.

Wait for the operation to finish

Optional.

If selected, the action waits for the results of the operation.

Not selected by default.

Action outputs

The Get Operation Status action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result output received when using the Get Operation Status action:

{
    "name": "operation-OPERATION_ID",
    "zone": "europe-central2-a",
    "operationType": "SET_NODE_POOL_SIZE",
    "status": "RUNNING",
    "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/operations/operation-OPERATION_ID",
    "targetLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/clusters/cluster-test/nodePools/default-pool",
    "startTime": "2021-08-15T11:53:55.904254615Z"
}

Output messages

The Get Operation Status action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully fetched operation details.` `Failed to execute the action because API returned error, please see action logs LOG_SNIPPET.` `Operation OPERATION_NAME is still in progress, current status: STATUS.` `Operation OPERATION_NAME successfully finished.` `Operation OPERATION_NAME failed to complete with the following status: STATUS.`	The action succeeded.
`Provided cluster location CLUSTER_LOCATION does not exist.` `Provided operation name OPERATION_NAME was not found.` `Error executing action "Set Node Count". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully fetched operation details.

Failed to execute the action because API returned error, please see action logs LOG_SNIPPET.

Operation OPERATION_NAME is still in progress, current status: STATUS.

Operation OPERATION_NAME successfully finished.

Operation OPERATION_NAME failed to complete with the following status: STATUS.

The action succeeded.

Provided cluster location CLUSTER_LOCATION does not exist.

Provided operation name OPERATION_NAME was not found.

Error executing action "Set Node Count". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Get Operation Status action:

Script result name	Value
`is_success`	`True` or `False`

List Clusters

Use the List Clusters action to list GKE clusters based on the specified search criteria.

This action doesn't run on Google SecOps entities.

Action inputs

The List Clusters action requires the following parameters:

Parameter	Description
`Cluster Location`	Required. The location to search for clusters, such as `europe-central2-a`.
`Filter Logic`	Optional. The filter logic to apply. The filtering logic works with the `cluster name` field. The possible values are as follows: `Not Specified` `Equal` `Contains` The default value is `Not Specified`.
`Filter Value`	Optional. The value to use for the filter. The filtering logic works with the `cluster name` field. If you set the `Filter Logic` parameter to `Equal`, the action searches for the `Filter Value` exact match among results. If you set the `Filter Logic` parameter to `Contains`, the action searches for results that contain the substring that you specify in this parameter. If you don't set a value, the action ignores the filter.
`Max Records To Return`	Optional. The number of records to return. The default value is `50`.

Action outputs

The List Clusters action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The List Clusters action can return the following table:

Table name: Found Clusters

Table columns:

ID
Name
Description
Cluster Network
Cluster IPv4 CIDR
Labels
Cluster Endpoint
Status
Location
Zone
Initial Cluster Version
Current Master Version
Current Node Version
Create Time

JSON result

The following example shows the JSON result output received when using the List Clusters action:

{
           "name": "cluster-test",
           "description": "Requested by user",
           "nodeConfig": {
               "machineType": "e2-micro",
               "diskSizeGb": 15,
               "oauthScopes": [
                   "https://www.googleapis.com/auth/devstorage.read_only",
                   "https://www.googleapis.com/auth/logging.write",
                   "https://www.googleapis.com/auth/monitoring",
                   "https://www.googleapis.com/auth/servicecontrol",
                   "https://www.googleapis.com/auth/service.management.readonly",
                   "https://www.googleapis.com/auth/trace.append"
               ],
               "metadata": {
                   "disable-legacy-endpoints": "true"
               },
               "imageType": "COS",
               "tags": [
                   "pod-net-tag"
               ],
               "serviceAccount": "default",
               "diskType": "pd-standard",
               "shieldedInstanceConfig": {
                   "enableIntegrityMonitoring": true
               }
           },
           "masterAuth": {
               "clusterCaCertificate": "CERTIFICATE"
           }
}

Output messages

The List Clusters action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully found clusters for the provided criteria in GKE.` `No clusters were found for the provided criteria in GKE.`	The action succeeded.
`Provided cluster location CLUSTER_LOCATION does not exist.` `Invalid value was provided for "Max Records to Return": MAX_RECORDS_TO_RETURN. Positive number should be provided.` `Error executing action "List Clusters". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully found clusters for the provided criteria in GKE.

No clusters were found for the provided criteria in GKE.

The action succeeded.

Provided cluster location CLUSTER_LOCATION does not exist.

Invalid value was provided for "Max Records to Return": MAX_RECORDS_TO_RETURN. Positive number should be provided.

Error executing action "List Clusters". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the List Clusters action:

Script result name	Value
`is_success`	`True` or `False`

List Node Pools

Use the List Node Pools action to list node pools for the GKE cluster based on the specified search criteria.

The filtering logic works with the node pool name field.

This action doesn't run on Google SecOps entities.

Action inputs

The List Node Pools action requires the following parameters:

Parameter	Description
`Cluster Location`	Required. A location to search for clusters, such as `europe-central2-a`.
`Cluster Name`	Required. The name of the cluster to search for.
`Filter Logic`	Optional. The filter logic to apply. The filtering logic works with the `node pool name` field. The possible values are as follows: `Not Specified` `Equal` `Contains` The default value is `Not Specified`.
`Filter Value`	Optional. The value to use for the filter. The filtering logic works with the `node pool name` field. If you set the `Filter Logic` parameter to `Equal`, the action searches for the `Filter Value` exact match among results. If you set the `Filter Logic` parameter to `Contains`, the action searches for results that contain the substring that you specify in this parameter. If you don't set a value, the action ignores the filter.
`Max Records To Return`	Optional. The number of records to return. The default value is `50`.

Action outputs

The List Node Pools action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The List Node Pools action can return the following table:

Table name: Found Node Pools

Name
Status
Version
Machine Type
Tags
Service Account
Initial Node Count
Autoscaling
Max Pods Constraint
Locations

JSON result

The following example shows the JSON result output received when using the List Node Pools action:

{
    "nodePools": [
        {
            "name": "example-pool",
            "config": {
                "machineType": "e2-micro",
                "diskSizeGb": 15,
                "oauthScopes": [
                    "https://www.googleapis.com/auth/devstorage.read_only",
                    "https://www.googleapis.com/auth/logging.write",
                    "https://www.googleapis.com/auth/monitoring",
                    "https://www.googleapis.com/auth/servicecontrol",
                    "https://www.googleapis.com/auth/service.management.readonly",
                    "https://www.googleapis.com/auth/trace.append"
                ],
                "metadata": {
                    "disable-legacy-endpoints": "true"
                },
                "imageType": "COS",
                "tags": [
                    "pod-net-tag"
                ],
                "serviceAccount": "default",
                "diskType": "pd-standard",
                "shieldedInstanceConfig": {
                    "enableIntegrityMonitoring": true
                }
            },
            "initialNodeCount": 3,
            "autoscaling": {},
            "management": {
                "autoUpgrade": true,
                "autoRepair": true
            },
            "maxPodsConstraint": {
                "maxPodsPerNode": "8"
            },
            "podIpv4CidrSize": 28,
            "locations": [
                "europe-central2-a"
            ],
            "networkConfig": {
                "podRange": "gke-cluster-example-pods-ID",
                "podIpv4CidrBlock": "192.0.2.0/24"
            },
            "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/clusters/cluster-example/nodePools/example-pool",
            "version": "1.18.20-gke.900",
            "instanceGroupUrls": [
                "https://www.googleapis.com/compute/v1/projects/PROJECT_ID/zones/europe-central2-a/instanceGroupManagers/gke-cluster-example-example-pool-ID-grp"
            ],
            "status": "RUNNING",
            "upgradeSettings": {
                "maxSurge": 1
            }
        }
    ]
}

Output messages

The List Node Pools action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully found node pools for cluster CLUSTER_NAME for the provided criteria in GKE.` `No node pools were found for cluster CLUSTER_NAME for the provided criteria in GKE.`	The action succeeded.
`Provided cluster location CLUSTER_LOCATION does not exist.` `Provided cluster name CLUSTER_NAME was not found.` `Invalid value was provided for "Max Records to Return": MAX_RECORDS_TO_RETURN. Positive number should be provided.` `Error executing action "List Node Pools". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully found node pools for cluster CLUSTER_NAME for the provided criteria in GKE.

No node pools were found for cluster CLUSTER_NAME for the provided criteria in GKE.

The action succeeded.

Provided cluster location CLUSTER_LOCATION does not exist.

Provided cluster name CLUSTER_NAME was not found.

Invalid value was provided for "Max Records to Return": MAX_RECORDS_TO_RETURN. Positive number should be provided.

Error executing action "List Node Pools". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the List Node Pools action:

Script result name	Value
`is_success`	`True` or `False`

List Operations

Use the List Operations action to list GKE operations for a location based on the specified search criteria.

The filtering logic works with the operation name field.

This action doesn't run on Google SecOps entities.

Action inputs

The List Operations action requires the following parameters:

Parameter	Description
`Cluster Location`	Required. The location to search for operations, such as `europe-central2-a`.
`Filter Logic`	Optional. The filter logic to apply. The filtering logic works with the `cluster name` field. The possible values are as follows: `Equal` `Contains` The default value is `Equal`.
`Filter Value`	Optional. The value to use for the filter. The filtering logic works with the `cluster name` field. If you set the `Filter Logic` parameter to `Equal`, the action searches for the `Filter Value` exact match among results. If you set the `Filter Logic` parameter to `Contains`, the action searches for results that contain the substring that you specify in this parameter. If you don't set a value, the action ignores the filter.
`Max Records To Return`	Optional. The number of records to return. The default value is `50`.

Action outputs

The List Operations action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

Case wall table

The List Operations action can return the following table:

Table name: Found Operations

Table columns:

Name
Zone
Operation Type
Status
Start Time
End Time
Target Link
Self Link

JSON result

The following example shows the JSON result output received when using the List Operations action:

{
    "operations": [
        {
            "name": "operation-OPERATION_ID",
            "zone": "europe-central2-a",
            "operationType": "UPGRADE_MASTER",
            "status": "DONE",
            "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/operations/operation-OPERATION_ID",
            "targetLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/clusters/cluster-example",
            "startTime": "2021-08-06T12:33:51.614562051Z",
            "endTime": "2021-08-06T12:38:55.038159801Z"
        },
    ]
}

Output messages

The List Operations action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully found operations for the provided criteria in GKE.` `No operations were found for the provided criteria in GKE.`	The action succeeded.
`Provided cluster location CLUSTER_LOCATION does not exist.` `Error executing action "List Operations". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully found operations for the provided criteria in GKE.

No operations were found for the provided criteria in GKE.

The action succeeded.

Provided cluster location CLUSTER_LOCATION does not exist.

Error executing action "List Operations". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the List Operations action:

Script result name	Value
`is_success`	`True` or `False`

Ping

Use the Ping action to test the connectivity to GKE.

This action doesn't run on Google SecOps entities.

Action inputs

None.

Action outputs

The Ping action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Not available
Output messages	Available
Script result	Available

Output messages

The Ping action can return the following output messages:

Output message Message description

Successfully connected to the GKE service with the provided connection parameters! The action succeeded.

Output message	Message description
`Successfully connected to the GKE service with the provided connection parameters!`	The action succeeded.
`Failed to connect to the GKE service! Error is ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Failed to connect to the GKE service! Error is ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Ping action:

Script result name	Value
`is_success`	`True` or `False`

Set Cluster Addons

Use the Set Cluster Addons action to set add-ons for the GKE cluster.

If the target cluster is already undergoing a configuration change, it cannot accept new configuration changes until the current configuration change is complete.

This action runs asynchronous. Adjust the Google SecOps IDE settings as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Cluster Addons action requires the following parameters:

Parameter	Description
`Cluster Location`	Required. A location to search for clusters, such as `europe-central2-a`.
`Cluster Name`	Required. The name of the cluster to search for.
`HTTP Load Balancing`	Optional. The value for the HTTP load balancing add-on. The possible values are as follows: `Not Changed` `Disabled` `Enabled` The default value is `Not Changed`.
`Horizontal Pod Autoscaling`	Optional. The value for the horizontal Pod autoscaling add-on. The possible values are as follows: `Not Changed` `Disabled` `Enabled` The default value is `Not Changed`.
`Network Policy Config`	Optional. The value for the network policy configuration add-on. The possible values are as follows: `Not Changed` `Disabled` `Enabled` The default value is `Not Changed`.
`Cloud Run Config`	Optional. The value for the Cloud Run configuration add-on. The possible values are as follows: `Not Changed` `Disabled` `Enabled, Load Balancer Type Unspecified` `Enabled, Load Balancer Type External` `Enabled, Load Balancer Type Internal` The default value is `Not Changed`.
`DNS Cache Config`	Optional. The value for the DNS cache configuration add-on. The possible values are as follows: `Not Changed` `Disabled` `Enabled` The default value is `Not Changed`.
`Config Connector Config`	Optional. The value for the Config Connector configuration add-on. The possible values are as follows: `Not Changed` `Disabled` `Enabled` The default value is `Not Changed`.
`Persistent Disk Csi Driver Config`	Optional. Specify the value for the Compute Engine persistent disk Container Storage Interface (CSI) Driver configuration add-on. The possible values are as follows: `Not Changed` `Disabled` `Enabled` The default value is `Not Changed`.
`Wait for cluster configuration change operation to finish`	Optional. If selected, the action waits for the results of the cluster configuration change operation. Selected by default.

Action outputs

The Set Cluster Addons action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result output received when using the Set Cluster Addons action:

{
   "name": "operation-OPERATION_ID",
   "zone": "europe-central2-a",
   "operationType": "UPDATE_CLUSTER",
   "status": "RUNNING",
   "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/operations/operation-OPERATION_ID",
   "targetLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/clusters/cluster-test",
   "startTime": "2021-08-15T11:34:43.051036236Z"
}

Output messages

The Set Cluster Addons action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully created cluster configuration change operation.` `Failed to execute the action because API returned error, please see action logs LOG_SNIPPET.` `Operation OPERATION_NAME is still in progress, current status: STATUS.` `Operation OPERATION_NAME successfully finished.` `Operation OPERATION_NAME failed to complete with the following status: STATUS.`	The action succeeded.
`Provided cluster location CLUSTER_LOCATION does not exist.` `Provided cluster name CLUSTER_NAME was not found.` `Error executing action "Set Cluster Addons". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully created cluster configuration change operation.

Failed to execute the action because API returned error, please see action logs LOG_SNIPPET.

Operation OPERATION_NAME is still in progress, current status: STATUS.

Operation OPERATION_NAME successfully finished.

Operation OPERATION_NAME failed to complete with the following status: STATUS.

The action succeeded.

Provided cluster location CLUSTER_LOCATION does not exist.

Provided cluster name CLUSTER_NAME was not found.

Error executing action "Set Cluster Addons". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Set Cluster Addons action:

Script result name	Value
`is_success`	`True` or `False`

Set Cluster Labels

Use the Set Cluster Labels action to set labels for the GKE cluster. The action appends new labels to any existing cluster labels.

If the target cluster is already undergoing a configuration change, it cannot accept new configuration changes until the current configuration change is complete.

This action runs asynchronous. Adjust the Google SecOps IDE settings as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Cluster Labels action requires the following parameters:

Parameter	Description
`Cluster Location`	Required. A location to search for clusters, such as `europe-central2-a`.
`Cluster Name`	Required. The name of the cluster to search for.
`Cluster Labels`	Required. A JSON object that contains labels to add to the cluster. The action appends new labels to any existing cluster labels. The default value is as follows: { "key1":"value1", "key2":"value2" }
`Wait for cluster configuration change operation to finish`	Optional. If selected, the action waits for the results of the cluster configuration change operation. Not selected by default.

Action outputs

The Set Cluster Labels action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result output received when using the Set Cluster Labels action:

{
    "name": "operation-OPERATION_ID",
    "zone": "europe-central2-a",
    "operationType": "UPDATE_CLUSTER",
    "status": "RUNNING",
    "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/operations/operation-OPERATION_ID",
    "targetLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/clusters/cluster-test",
    "startTime": "2021-08-15T11:53:55.904254615Z"
}

Output messages

The Set Cluster Labels action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully created cluster configuration change operation.` `Operation OPERATION_NAME is still in progress, current status: STATUS.` `Operation OPERATION_NAME successfully finished.` `Operation OPERATION_NAME failed to complete with the following status: STATUS.` `Operation OPERATION_NAME failed to complete with the following status: STATUS.`	The action succeeded.
`Provided cluster location CLUSTER_LOCATION does not exist.` `Invalid value was provided for the cluster labels: CLUSTER_LABELS.` `Error executing action "Set Cluster Labels". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully created cluster configuration change operation.

Operation OPERATION_NAME is still in progress, current status: STATUS.

Operation OPERATION_NAME successfully finished.

Operation OPERATION_NAME failed to complete with the following status: STATUS.

The action succeeded.

Provided cluster location CLUSTER_LOCATION does not exist.

Invalid value was provided for the cluster labels: CLUSTER_LABELS.

Error executing action "Set Cluster Labels". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Set Cluster Labels action:

Script result name	Value
`is_success`	`True` or `False`

Set Node Autoscaling

Use the Set Node Autoscaling action to set the node pool auto scaling configuration for the GKE cluster. The action is asynchronous.

If the target cluster is already undergoing a configuration change, it cannot accept new configuration changes until the current configuration change is complete.

This action runs asynchronous. Adjust the Google SecOps IDE settings as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Node Autoscaling action requires the following parameters:

Parameter	Description
`Cluster Location`	Required. A location to search for clusters, such as `europe-central2-a`.
`Cluster Name`	Required. The name of the cluster to search for.
`Node Pool Name`	Required. The node pool name for the cluster.
`Autoscaling Mode`	Optional. The auto scaling mode status for the node pool. The possible values are as follows: `Not Changed` `Enabled` `Disabled` The default value is `Not Changed`.
`Minimum Node Count`	Optional. The minimum number of nodes for the node pool configuration.
`Maximum Node Count`	Optional. The maximum number of nodes for the node pool configuration.
`Wait for cluster configuration change operation to finish`	Optional. If selected, the action waits for the results of the cluster configuration change operation. Not selected by default.

Action outputs

The Set Node Autoscaling action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result output received when using the Set Node Autoscaling action:

{
    "name": "operation-OPERATION_ID",
    "zone": "europe-central2-a",
    "operationType": "UPDATE_CLUSTER",
    "status": "RUNNING",
    "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/operations/operation-OPERATION_ID",
    "targetLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/clusters/cluster-test",
    "startTime": "2021-08-15T11:53:55.904254615Z"
}

Output messages

The Set Node Autoscaling action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully created cluster node pool configuration change operation.` `Failed to execute the action because API returned error, please see action logs LOG_SNIPPET.` `Operation OPERATION_NAME is still in progress, current status: STATUS.` `Operation OPERATION_NAME successfully finished.` `Operation OPERATION_NAME failed to complete with the following status: STATUS.`	The action succeeded.
`Provided cluster location CLUSTER_LOCATION does not exist.` `Provided cluster name CLUSTER_NAME was not found.` `Error executing action "Set Node Autoscaling". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully created cluster node pool configuration change operation.

Failed to execute the action because API returned error, please see action logs LOG_SNIPPET.

Operation OPERATION_NAME is still in progress, current status: STATUS.

Operation OPERATION_NAME successfully finished.

Operation OPERATION_NAME failed to complete with the following status: STATUS.

The action succeeded.

Provided cluster location CLUSTER_LOCATION does not exist.

Provided cluster name CLUSTER_NAME was not found.

Error executing action "Set Node Autoscaling". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Set Node Autoscaling action:

Script result name	Value
`is_success`	`True` or `False`

Set Node Pool Management

Use the Set Node Pool Management action to set the node pool management configuration for the GKE cluster.

This action runs asynchronous. Adjust the Google SecOps IDE settings as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Node Pool Management action requires the following parameters:

Parameter	Description
`Cluster Location`	Required. A location to search for clusters, such as `europe-central2-a`.
`Cluster Name`	Required. The name of the cluster to search for.
`Node Pool Name`	Required. The node pool name for the GKE cluster.
`Auto Upgrade`	Optional. The status of the auto upgrade management feature.
`Auto Repair`	Optional. The status of auto repair management feature.
`Wait for cluster configuration change operation to finish`	Optional. If selected, the action waits for the results of the cluster configuration change operation. Not selected by default.

Action outputs

The Set Node Pool Management action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result output received when using the Set Node Pool Management action:

{
    "name": "operation-OPERATION_ID",
    "zone": "europe-central2-a",
    "operationType": "SET_NODE_POOL_MANAGEMENT",
    "status": "RUNNING",
    "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/operations/operation-OPERATION_ID",
    "targetLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/clusters/cluster-test/nodePools/default-pool",
    "startTime": "2021-08-15T11:53:55.904254615Z"
}

Output messages

The Set Node Pool Management action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully created cluster node pool configuration change operation.` `Failed to execute the action because API returned error, please see action logs LOG_SNIPPET.` `Operation OPERATION_NAME is still in progress, current status: STATUS.` `Operation OPERATION_NAME successfully finished.` `Operation OPERATION_NAME failed to complete with the following status: STATUS.`	The action succeeded.
`Provided cluster location CLUSTER_LOCATION does not exist.` `Provided cluster name CLUSTER_NAME was not found.` `Provided node pool name NODE_POOL_NAME was not found.` `Error executing action "Set Node Pool Management". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully created cluster node pool configuration change operation.

Failed to execute the action because API returned error, please see action logs LOG_SNIPPET.

Operation OPERATION_NAME is still in progress, current status: STATUS.

Operation OPERATION_NAME successfully finished.

Operation OPERATION_NAME failed to complete with the following status: STATUS.

The action succeeded.

Provided cluster location CLUSTER_LOCATION does not exist.

Provided cluster name CLUSTER_NAME was not found.

Provided node pool name NODE_POOL_NAME was not found.

Error executing action "Set Node Pool Management". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Set Node Pool Management action:

Script result name	Value
`is_success`	`True` or `False`

Set Node Count

Use the Set Node Count action to set the node count for the GKE cluster node pool.

This action runs asynchronous. Adjust the Google SecOps IDE settings as needed.

This action doesn't run on Google SecOps entities.

Action inputs

The Set Node Count action requires the following parameters:

Parameter	Description
`Cluster Location`	Required. A location to search for clusters, such as `europe-central2-a`.
`Cluster Name`	Required. The name of the cluster to search for.
`Node Pool Name`	Required. The node pool name for the GKE cluster.
`Node Count`	Required. The number of nodes for the GKE cluster node pool.
`Wait for cluster configuration change operation to finish`	Optional. If selected, the action waits for the results of the cluster configuration change operation. Not selected by default.

Action outputs

The Set Node Count action provides the following outputs:

Action output type	Availability
Case wall attachment	Not available
Case wall link	Not available
Case wall table	Not available
Enrichment table	Not available
JSON result	Available
Output messages	Available
Script result	Available

JSON result

The following example shows the JSON result output received when using the Set Node Count action:

{
    "name": "operation-OPERATION_ID",
    "zone": "europe-central2-a",
    "operationType": "SET_NODE_POOL_SIZE",
    "status": "RUNNING",
    "selfLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/operations/operation-OPERATION_ID",
    "targetLink": "https://container.googleapis.com/v1/projects/PROJECT_ID/zones/europe-central2-a/clusters/cluster-test/nodePools/default-pool",
    "startTime": "2021-08-15T11:53:55.904254615Z"
}

Output messages

The Set Node Count action can return the following output messages:

Output message Message description

Output message	Message description
`Successfully created cluster node pool configuration change operation.` `Failed to execute the action because API returned error, please see action logs LOG_SNIPPET.` `Operation OPERATION_NAME is still in progress, current status: STATUS.` `Operation OPERATION_NAME successfully finished.` `Operation OPERATION_NAME failed to complete with the following status: STATUS.`	The action succeeded.
`Provided cluster location CLUSTER_LOCATION does not exist.` `Provided cluster name CLUSTER_NAME was not found.` `Provided node pool name NODE_POOL_NAME was not found.` `Invalid value was provided for the node count: NODE_COUNT. The value should be a positive number.` `Error executing action "Set Node Count". Reason: ERROR_REASON`	The action failed. Check the connection to the server, input parameters, or credentials.

Successfully created cluster node pool configuration change operation.

Failed to execute the action because API returned error, please see action logs LOG_SNIPPET.

Operation OPERATION_NAME is still in progress, current status: STATUS.

Operation OPERATION_NAME successfully finished.

Operation OPERATION_NAME failed to complete with the following status: STATUS.

The action succeeded.

Provided cluster location CLUSTER_LOCATION does not exist.

Provided cluster name CLUSTER_NAME was not found.

Provided node pool name NODE_POOL_NAME was not found.

Invalid value was provided for the node count: NODE_COUNT. The value should be a positive number.

Error executing action "Set Node Count". Reason: ERROR_REASON

The action failed.

Check the connection to the server, input parameters, or credentials.

Script result

The following table lists the value for the script result output when using the Set Node Count action:

Script result name	Value
`is_success`	`True` or `False`

Need more help? Get answers from Community members and Google SecOps professionals.