This page explains how to configure fleet-level default settings for the Google Kubernetes Engine (GKE)
security posture dashboard.
The security posture dashboard
provides you with opinionated and actionable recommendations to improve your
clusters' security posture. If you have enabled
GKE Enterprise, you
can enable settings for the security posture dashboard at the fleet level.
You can create fleet-level defaults for the following
security posture dashboard settings:
Kubernetes security posture scanning standard tier: audit the clusters and
workloads in your fleet for common security configuration concerns.
Workload vulnerability scanning, available in the following tiers:
Workload OS vulnerability scanning (standard tier): scan the container
OS for known vulnerabilities.
Advanced vulnerability insights (enterprise tier): scan the container
OS and language packages for known vulnerabilities.
This page is for Security specialists who want to implement first-party
vulnerability detection solutions across a fleet of clusters. To learn more about
common roles and example tasks that we reference in Google Cloud content, see
Common GKE user roles and tasks.
This section describes how to configure security posture dashboard features
as fleet-level defaults. Any new clusters that you register to a fleet during
cluster creation have your specified security posture features enabled.
The fleet-level default settings that you configure take priority over any
default GKE security posture settings. To view the default
settings that apply to your edition of GKE, see the
Cluster-specific features table.
To configure fleet-level defaults for security posture, complete the
following steps:
Console
In the Google Cloud console, go to the Feature Manager page.
Review your fleet-level settings. All new clusters you register to the
fleet inherit these settings.
Optional: To change the default settings, click Customize fleet
settings. In the Customize fleet default configuration dialog that
appears, do the following:
For Configuration audit, choose if
configuration auditing
should be enabled or disabled.
For Vulnerability scanning (Deprecated), select the level of
vulnerability scanning
that you want; Disabled, Basic, or Advanced (recommended).
Click Save.
If you later disable fleet-level configuration for these features, your
current workloads in existing member clusters are still scanned and you
can see the security concerns on the security posture dashboard.
However, any new clusters you create in that fleet won't be scanned for
concerns, unless you enable the security posture features on them
individually.
To apply the setting to new clusters, click Configure.
In the confirmation dialog, click Confirm.
Optional: Sync existing clusters to the default settings:
In the Clusters in the fleet list, select the clusters that you want
to sync.
Click Sync to fleet settings and click Confirm in the
confirmation dialog that appears. This operation can take a few minutes
to complete.
If you disable fleet-level configuration for these features, your current
workloads in existing member clusters are still scanned and you can see the
security concerns on the security posture dashboard. However, any new
clusters you create in that fleet won't be scanned for concerns, unless you
enable the security posture features on them individually.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Configure GKE security posture dashboard features at the fleet level\n\n[Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview) [Standard](/kubernetes-engine/docs/concepts/choose-cluster-mode)\n\n*** ** * ** ***\n\nThis page explains how to configure fleet-level default settings for the [Google Kubernetes Engine (GKE)\nsecurity posture dashboard](/kubernetes-engine/docs/concepts/about-security-posture-dashboard).\nThe security posture dashboard\nprovides you with opinionated and actionable recommendations to improve your\nclusters' security posture. If you have [enabled\nGKE Enterprise](/kubernetes-engine/docs/how-to/enable-gkee), you\ncan enable settings for the security posture dashboard at the fleet level.\n\nYou can create fleet-level defaults for the following\nsecurity posture dashboard settings:\n\n- Kubernetes security posture scanning `standard` tier: audit the clusters and workloads in your fleet for common security configuration concerns.\n- Workload vulnerability scanning, available in the following tiers:\n\n - Workload OS vulnerability scanning (`standard` tier): scan the container OS for known vulnerabilities.\n - Advanced vulnerability insights (`enterprise` tier): scan the container OS and language packages for known vulnerabilities.\n\n | **Caution:** Starting on July 23, 2024, container OS vulnerability scanning is deprecated and is scheduled for shutdown on July 31, 2025. Starting on June 16, 2025, Advanced Vulnerability Insights is deprecated and is scheduled for shutdown on June 16, 2026. For more information about deprecation and shutdown dates, see [Vulnerability scanning removal from GKE](/kubernetes-engine/docs/deprecations/vulnerability-scanning-gkee).\n\nThis page is for Security specialists who want to implement first-party\nvulnerability detection solutions across a fleet of clusters. To learn more about\ncommon roles and example tasks that we reference in Google Cloud content, see\n[Common GKE user roles and tasks](/kubernetes-engine/enterprise/docs/concepts/roles-tasks).\n\nBefore reading this page, ensure that you're familiar with the general overview\nof [workload vulnerability scanning](/kubernetes-engine/docs/concepts/about-workload-vulnerability-scanning).\n\nTo learn how to configure these settings for individual clusters, see the\nfollowing resources:\n\n- [Automatically audit workloads for configuration issues](/kubernetes-engine/docs/how-to/protect-workload-configuration)\n- [Automatically scan workloads for known vulnerabilities](/kubernetes-engine/docs/how-to/security-posture-vulnerability-scanning) (Deprecated)\n\nConfigure fleet-level defaults\n------------------------------\n\nThis section describes how to configure security posture dashboard features\nas fleet-level defaults. Any new clusters that you register to a fleet during\ncluster creation have your specified security posture features enabled.\nThe fleet-level default settings that you configure take priority over any\ndefault GKE security posture settings. To view the default\nsettings that apply to your edition of GKE, see the\n[Cluster-specific features table](/kubernetes-engine/docs/concepts/about-security-posture-dashboard#cluster-specific-features).\n\nTo configure fleet-level defaults for security posture, complete the\nfollowing steps: \n\n### Console\n\n1. In the Google Cloud console, go to the **Feature Manager** page.\n\n [Go to Feature Manager](https://console.cloud.google.com/kubernetes/features/overview)\n2. In the **Security Posture** pane, click **Configure**.\n\n3. Review your fleet-level settings. All new clusters you register to the\n fleet inherit these settings.\n\n4. Optional: To change the default settings, click **Customize fleet\n settings** . In the **Customize fleet default configuration** dialog that\n appears, do the following:\n\n 1. For **Configuration audit** , choose if [configuration auditing](/kubernetes-engine/docs/concepts/about-configuration-scanning) should be enabled or disabled.\n 2. For **Vulnerability scanning** (Deprecated), select the level of [vulnerability scanning](/kubernetes-engine/docs/concepts/about-workload-vulnerability-scanning) that you want; **Disabled** , **Basic** , or **Advanced (recommended)**.\n 3. Click **Save**.\n\n If you later disable fleet-level configuration for these features, your\n current workloads in existing member clusters are still scanned and you\n can see the security concerns on the security posture dashboard.\n However, any new clusters you create in that fleet won't be scanned for\n concerns, unless you enable the security posture features on them\n individually.\n5. To apply the setting to new clusters, click **Configure**.\n\n6. In the confirmation dialog, click **Confirm**.\n\n7. Optional: Sync existing clusters to the default settings:\n\n 1. In the **Clusters in the fleet** list, select the clusters that you want to sync.\n 2. Click **Sync to fleet settings** and click **Confirm** in the confirmation dialog that appears. This operation can take a few minutes to complete.\n\n### gcloud\n\nMake sure that you have\n[gcloud CLI version 455.0.0](/sdk/docs/install) or later.\n\n### Configure defaults for a new fleet\n\nYou can [create an empty fleet](/kubernetes-engine/fleet-management/docs/fleet-creation#optional_create_an_empty_fleet)\nwith the security posture dashboard features you want enabled.\n\n- To create a fleet with workload configuration auditing enabled, run the\n following command:\n\n gcloud container fleet create --security-posture standard\n\n- To create a fleet with workload vulnerability scanning (Deprecated)\n enabled, run the following command:\n\n gcloud container fleet create --workload-vulnerability-scanning \u003cvar translate=\"no\"\u003eVULNERABILITY_SCANNING_TIER\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eVULNERABILITY_SCANNING_TIER\u003c/var\u003e with one of the\n following values:\n - `standard`: scan the container OS for known vulnerabilities.\n - `enterprise`: scan the container OS and language packages for known vulnerabilities.\n\n### Configure defaults for an existing fleet\n\n- To enable workload configuration auditing on an existing fleet, run the\n following command:\n\n gcloud container fleet update --security-posture standard\n\n- To enable workload vulnerability scanning (Deprecated) on an existing fleet,\n run the following command:\n\n gcloud container fleet update --workload-vulnerability-scanning \u003cvar translate=\"no\"\u003eVULNERABILITY_SCANNING_TIER\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003eVULNERABILITY_SCANNING_TIER\u003c/var\u003e with one of the\n following values:\n - `standard`: scan the container OS for known vulnerabilities.\n - `enterprise`: scan the container OS and language packages for known vulnerabilities.\n- To change workload vulnerability scanning tier on an existing fleet:\n\n 1. Check the existing security posture dashboard settings on a fleet:\n\n gcloud container fleet describe\n\n 2. Use the `update` command as described earlier with the workload\n scanning tier you want to change to:\n\n gcloud container fleet update --workload-vulnerability-scanning \u003cvar translate=\"no\"\u003eVULNERABILITY_SCANNING_TIER\u003cvar translate=\"no\"\u003e\n \u003c/var\u003e\u003c/var\u003e\n\n### Disable security posture dashboard features at fleet level\n\n- To disable workload configuration auditing, run the following command:\n\n gcloud container fleet update --security-posture disabled\n\n- To disable workload vulnerability scanning, run the following command:\n\n gcloud container fleet update --workload-vulnerability-scanning disabled\n\nIf you disable fleet-level configuration for these features, your current\nworkloads in existing member clusters are still scanned and you can see the\nsecurity concerns on the security posture dashboard. However, any new\nclusters you create in that fleet won't be scanned for concerns, unless you\nenable the security posture features on them individually.\n\nWhat's next\n-----------\n\n- Learn about the range of Google Cloud features to [secure your clusters and workloads](/kubernetes-engine/docs/concepts/security-overview).\n- Learn how [workload configuration auditing](/kubernetes-engine/docs/concepts/about-configuration-scanning) detects common security configuration concerns."]]
