This page shows you how to find active threats in Google Kubernetes Engine (GKE) Enterprise edition clusters running on Google Cloud and get actionable mitigation recommendations. GKE threat detection is an advanced capability of the GKE security posture dashboard. For more information, see About GKE threat detection.
GKE threat detection is only available in projects that use GKE Enterprise and have eligible GKE clusters.
Pricing
GKE threat detection is offered at no extra cost through GKE Enterprise.
Before you begin
- Ensure that you're a GKE Enterprise user. To set up GKE Enterprise, see Enable GKE Enterprise.
Enable the Container Security API.
Ensure that you have an existing GKE cluster that's registered to a fleet. To create and register a new cluster, see Register a new cluster.
Considerations before you enable GKE threat detection
Enabling GKE threat detection also enables the following capabilities of the Kubernetes security posture scanning feature. These features are also offered at no extra cost.
Additionally, when you enable GKE threat detection on a cluster in your project, you also enable the following Security Command Center components in the project. If you want to remove GKE threat detection from your project later, you must disable these components individually.
- Security Command Center API
- Security Command Center add-on for GKE Enterprise
- Security Command Center service account
- Container Threat Detection service account
During the enablement process, you grant the following IAM roles to the Security Command Center service account and the Container Threat Detection service account:
- Security Command Center service account:
Security Center Service Agent (
roles/securitycenter.serviceAgent
) - Container Threat Detection service account:
Container Threat Detection Service Agent (
roles/containerthreatdetection.serviceAgent
)
Enable GKE threat detection in your project
You must enable GKE threat detection in your project before you enable it in your clusters. If you already enabled GKE threat detection, skip this step.
Go to the Security Posture page in the Google Cloud console:
In the Threat tile, click Enable threat detection.
Review the permissions and IAM roles that you'll grant, and then click Grant roles and enable threat detection. This enables GKE threat detection in your project.
To enroll clusters in GKE threat detection, click Select clusters on settings page, and then do the following:
- Select the checkboxes for clusters that you want to enroll in GKE threat detection.
- In the Select action drop-down, select Set to Advanced.
- Click Apply.
Enable GKE threat detection on individual clusters
If you already enabled GKE threat detection in your project, you can enable threat detection in existing clusters that are registered to a fleet by using the Google Cloud console or the Google Cloud CLI.
Console
Go to the Security Posture page in the Google Cloud console.
Click the Settings tab.
In the Security posture enabled clusters section, click Select clusters.
Select the checkboxes for the clusters on which you want to enable GKE threat detection.
In the Select action drop-down, select Set to Advanced.
Click Apply.
gcloud
Run the following command:
gcloud container clusters update CLUSTER_NAME \
--location=LOCATION \
--security-posture=enterprise
Replace the following:
CLUSTER_NAME
: the name of your GKE cluster.LOCATION
: the Compute Engine location of your cluster.
View and action GKE threat detection results
After you enable this feature, it might take up to 15 minutes to start seeing results. GKE displays the results on the security posture dashboard and automatically adds entries to the cluster logs.
View results
To see an overview of discovered concerns across your project's clusters and workloads, do the following:
Go to the Security Posture page in the Google Cloud console.
Click the Concerns tab.
In the Filter concerns pane, in the Concern type section, select the Threat checkbox. You can also expand the Threat section to filter by sub-categories like MITRE ATT&CK® type.
To view details for an individual threat finding, click the description of that finding. The finding details pane opens and has the following information:
- Details about the threat, like severity and status
- Recommendations to mitigate the threat
- A list of affected resources across enrolled clusters
View results in Security Command Center
If you use the Premium tier of Security Command Center, you can view
GKE threat detection results as THREAT
findings.
Go to the Threats page in the Google Cloud console:
View logs for discovered concerns
GKE adds entries to the _Default
log bucket in Logging
for each discovered concern. These logs are only retained for a specific period. For details, see
Logs retention periods.
In the Google Cloud console, go to the Logs Explorer:
Go to Logs ExplorerIn the Query field, specify the following query:
resource.type="k8s_cluster" jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding" jsonPayload.type="FINDING_TYPE_THREAT"
Click Run query.
To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, see Configure log-based alerts.
Disable GKE threat detection
You can disable GKE threat detection in your clusters. To disable GKE threat detection on your project, you must manually remove the individual Security Command Center components that were created when you enabled the feature.
Disable GKE threat detection in clusters
You can disable GKE threat detection in clusters by using the gcloud CLI or the Google Cloud console.
Console
Go to the Security Posture page in the Google Cloud console.
Click the Settings tab.
In the Security posture enabled clusters section, click Select clusters.
Select the checkboxes for the clusters on which you want to disable GKE threat detection.
In the Select action drop-down, do one of the following:
- Recommended: To disable GKE threat detection but keep other features like configuration auditing, select Set to Basic.
- To disable all Kubernetes security posture scanning features, select Set to Disabled.
Click Apply.
gcloud
Run the following command:
gcloud container clusters update CLUSTER_NAME \
--location=LOCATION \
--security-posture=TIER
Replace the following:
CLUSTER_NAME
: the name of the cluster.LOCATION
: the location of the cluster.TIER
: the Kubernetes security posture tier. Must be one of the following:standard
(Recommended): Disable GKE threat detection but keep other Kubernetes security posture scanning features.disabled
: Disable all Kubernetes security posture scanning features on the cluster, including configuration auditing.