Audit clusters for compliance standards

This page shows you how to automatically audit your clusters for compliance concerns and get actionable recommendations to improve the compliance of your Google Kubernetes Engine (GKE) Enterprise edition clusters. Compliance auditing is a feature of the GKE Compliance dashboard. For more information, see About the GKE Compliance dashboard.

Supported compliance standards

Compliance auditing scans your clusters for compliance against the following standards and provides recommendations to improve your compliance posture:

Name

Description

CIS Google Kubernetes Engine Benchmark v1.5.0

A set of recommended security controls for configuring Google Kubernetes Engine (GKE), based on the CIS Google Kubernetes Engine (GKE) Benchmarks v1.5.0.

Pod Security Standards Baseline

A set of recommended protections for Kubernetes clusters, based on the Kubernetes Pod Security Standards (PSS) Baseline policy.

Pod Security Standards Restricted

A set of recommended protections for Kubernetes clusters, based on the Kubernetes Pod Security Standards (PSS) Restricted policy.

The default set of standards includes all three supported standards:

  • CIS Google Kubernetes Engine Benchmark v1.5.0
  • Pod Security Standards Baseline
  • Pod Security Standards Restricted

Pricing

The GKE Compliance dashboard is available for users who have enabled GKE Enterprise.

Before you begin

Before you start, make sure you have performed the following tasks:

Requirements

To get the permissions that you need to use compliance auditing, ask your administrator to grant you the following IAM roles on your Google Cloud project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to use compliance auditing. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to use compliance auditing:

  • resourcemanager.projects.get
  • resourcemanager.projects.list
  • containersecurity.locations.list
  • containersecurity.locations.get
  • containersecurity.clusterSummaries.list
  • containersecurity.findings.list
  • container.clusters.list
  • gkehub.features.get
  • gkehub.memberships.list

You might also be able to get these permissions with custom roles or other predefined roles.

Enable auditing on an existing cluster

You can enable compliance auditing on your cluster by using the Google Cloud console.

  1. Go to the Compliance page in the Google Cloud console.

    Go to Compliance

  2. In the Settings card, click Select clusters.

  3. In the Audit disabled tab, select the checkboxes for the clusters that you want to add.

  4. Click Enable to enable auditing on those clusters.

Deploy a test workload

Deploy a sample Pod that intentionally violates the Pod Security Standards.

  1. Save the following manifest as noncompliant-sample.yaml:

    apiVersion: v1
    kind: Pod
    metadata:
      namespace: default
      name: wp-non-compliant
      labels:
        app: wordpress
    spec:
      containers:
      - image: nginx
        name: wordpress
        securityContext:
          capabilities:
            add:
            - NET_RAW
    
  2. Apply the resource to your cluster:

    kubectl apply -f noncompliant-sample.yaml
    

If you want to try other violations, modify noncompliant-sample.yaml with a different, non-compliant configuration.

View and resolve compliance issues

The initial audit takes up to 30 minutes to return results. You can view the results on the Compliance page or as entries in your cluster logs.

View results

To see an overview of compliance issues across your project's clusters, do the following:

  1. Go to the Compliance page in the Google Cloud console.

    Go to Compliance

  2. Click the Concerns tab.

  3. In the Filter concerns pane, in the Standards section, select the standard for which you want details.

View standard details and recommendations

To view detailed information about a specific standard, expand the standard section until you see the description link and then click the standard description to open the Compliance Constraint pane.

The Details tab shows the following information:

  • Description: a description of the standard.
  • Recommended action: an overview of actions that you can take to fix the compliance issue.

The Affected Resources tab lists the resources affected by the standard.

View logs for discovered concerns

GKE adds entries to the _Default log bucket in Logging for each discovered concern. These logs are only retained for a specific period. For details, see Logs retention periods.

  1. In the Google Cloud console, go to the Logs Explorer:

    Go to Logs Explorer
  2. In the Query field, specify the following query:

    resource.type="k8s_cluster"
    jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding"
    jsonPayload.type="FINDING_TYPE_MISCONFIG"
    jsonPayload.configuration.violation:*
  3. Click Run query.

To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, see Configure log-based alerts.

Clean up

Delete the sample Pod that you deployed:

kubectl delete pod wp-non-compliant

Disable compliance auditing

You can disable compliance auditing by using the Google Cloud console.

  1. Go to the Compliance page in the Google Cloud console.

    Go to Compliance

  2. In the Settings card, click Select clusters.

  3. In the Audit enabled tab, select the checkboxes for the clusters that you want to remove.

  4. Click Disable to disable auditing on those clusters.

Limitations

  • Windows Server node pools aren't supported.
  • Compliance auditing doesn't scan GKE-managed workloads, such as workloads in the kube-system namespace.
  • Compliance auditing is only available for clusters with less than 1,000 nodes.

What's next