Find threats in clusters using GKE threat detection


This page shows you how to find active threats in Google Kubernetes Engine (GKE) Enterprise edition clusters running on Google Cloud and get actionable mitigation recommendations. GKE threat detection is an advanced capability of the GKE security posture dashboard. For more information, see About GKE threat detection.

GKE threat detection is only available in projects that use GKE Enterprise and have eligible GKE clusters.

Pricing

GKE threat detection is offered at no extra cost through GKE Enterprise.

Before you begin

  1. Ensure that you're a GKE Enterprise user. To set up GKE Enterprise, see Enable GKE Enterprise.
  2. Enable the Container Security API.

    Enable Container Security API

  3. Ensure that you have an existing GKE cluster that's registered to a fleet. To create and register a new cluster, see Register a new cluster.

Considerations before you enable GKE threat detection

Enabling GKE threat detection also enables the following capabilities of the Kubernetes security posture scanning feature. These features are also offered at no extra cost.

Additionally, when you enable GKE threat detection on a cluster in your project, you also enable the following Security Command Center components in the project. If you want to remove GKE threat detection from your project later, you must disable these components individually.

  • Security Command Center API
  • Security Command Center add-on for GKE Enterprise
  • Security Command Center service account
  • Container Threat Detection service account

During the enablement process, you grant the following IAM roles to the Security Command Center service account and the Container Threat Detection service account:

Enable GKE threat detection in your project

You must enable GKE threat detection in your project before you enable it in your clusters. If you already enabled GKE threat detection, skip this step.

  1. Go to the Security Posture page in the Google Cloud console:

    Go to Security Posture

  2. In the Threat tile, click Enable threat detection.

  3. Review the permissions and IAM roles that you'll grant, and then click Grant roles and enable threat detection. This enables GKE threat detection in your project.

  4. To enroll clusters in GKE threat detection, click Select clusters on settings page, and then do the following:

    1. Select the checkboxes for clusters that you want to enroll in GKE threat detection.
    2. In the Select action drop-down, select Set to Advanced.
    3. Click Apply.

Enable GKE threat detection on individual clusters

If you already enabled GKE threat detection in your project, you can enable threat detection in existing clusters that are registered to a fleet by using the Google Cloud console or the Google Cloud CLI.

Console

  1. Go to the Security Posture page in the Google Cloud console.

    Go to Security Posture

  2. Click the Settings tab.

  3. In the Security posture enabled clusters section, click Select clusters.

  4. Select the checkboxes for the clusters on which you want to enable GKE threat detection.

  5. In the Select action drop-down, select Set to Advanced.

  6. Click Apply.

gcloud

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --security-posture=enterprise

Replace the following:

  • CLUSTER_NAME: the name of your GKE cluster.
  • LOCATION: the Compute Engine location of your cluster.

View and action GKE threat detection results

After you enable this feature, it might take up to 15 minutes to start seeing results. GKE displays the results on the security posture dashboard and automatically adds entries to the cluster logs.

View results

To see an overview of discovered concerns across your project's clusters and workloads, do the following:

  1. Go to the Security Posture page in the Google Cloud console.

    Go to Security Posture

  2. Click the Concerns tab.

  3. In the Filter concerns pane, in the Concern type section, select the Threat checkbox. You can also expand the Threat section to filter by sub-categories like MITRE ATT&CK® type.

  4. To view details for an individual threat finding, click the description of that finding. The finding details pane opens and has the following information:

    • Details about the threat, like severity and status
    • Recommendations to mitigate the threat
    • A list of affected resources across enrolled clusters

View results in Security Command Center

If you use the Premium tier of Security Command Center, you can view GKE threat detection results as THREAT findings.

Go to the Threats page in the Google Cloud console:

Go to Threats

View logs for discovered concerns

GKE adds entries to the _Default log bucket in Logging for each discovered concern. These logs are only retained for a specific period. For details, see Logs retention periods.

  1. In the Google Cloud console, go to the Logs Explorer:

    Go to Logs Explorer
  2. In the Query field, specify the following query:

    resource.type="k8s_cluster"
    jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding"
    jsonPayload.type="FINDING_TYPE_THREAT"
  3. Click Run query.

To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, see Configure log-based alerts.

Disable GKE threat detection

You can disable GKE threat detection in your clusters. To disable GKE threat detection on your project, you must manually remove the individual Security Command Center components that were created when you enabled the feature.

Disable GKE threat detection in clusters

You can disable GKE threat detection in clusters by using the gcloud CLI or the Google Cloud console.

Console

  1. Go to the Security Posture page in the Google Cloud console.

    Go to Security Posture

  2. Click the Settings tab.

  3. In the Security posture enabled clusters section, click Select clusters.

  4. Select the checkboxes for the clusters on which you want to disable GKE threat detection.

  5. In the Select action drop-down, do one of the following:

    • Recommended: To disable GKE threat detection but keep other features like configuration auditing, select Set to Basic.
    • To disable all Kubernetes security posture scanning features, select Set to Disabled.
  6. Click Apply.

gcloud

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --security-posture=TIER

Replace the following:

  • CLUSTER_NAME: the name of the cluster.
  • LOCATION: the location of the cluster.
  • TIER: the Kubernetes security posture tier. Must be one of the following:

    • standard (Recommended): Disable GKE threat detection but keep other Kubernetes security posture scanning features.
    • disabled: Disable all Kubernetes security posture scanning features on the cluster, including configuration auditing.

What's next