Secure your fleet

Google Cloud provides a range of features to secure your fleet and the applications that run on it. This page provides an overview of fleet security features, with links to find out more.

Manage identity

Google Cloud provides the following options for authenticating to fleet clusters in a simple, consistent, and secured way, wherever the clusters live. After you have set up authentication, you can configure more fine-grained access control to your clusters using Kubernetes role-based access control (RBAC).

Authenticate with Google Cloud

All GKE clusters on Google Cloud are configured to accept Google Cloud user and service account identities by default. If your fleet contains clusters in multiple environments, you can configure the Connect gateway so that users and service accounts can also authenticate to any registered cluster using their Google Cloud ID.

Learn more about setting up and using authentication with Google Cloud in the following guides:

Authenticate with third-party providers

If you want to use your existing third-party identity provider to authenticate to your fleet clusters, GKE Identity Service is an authentication service that lets you bring your existing identity solutions to multiple environments. It supports all OpenID Connect (OIDC) providers such as Okta and Microsoft AD FS, as well as preview support for LDAP providers in some environments. You can set up GKE Identity Service on a cluster-by-cluster basis or with a single configuration for your entire fleet, where supported.

Learn more about setting up and using third-party authentication, including supported environments and providers, in the following guides:

Authenticate with a bearer token

If the preceding Google-provided solutions aren't suitable for your organization, you can set up authentication using a Kubernetes service account and using its bearer token to log in. For details, see Set up using a bearer token.

Manage fleet security

Google Cloud provides a range of features and products that improve the security of your fleets and workloads, such as the following:

  • Binary Authorization to ensure that only trusted images are deployed on your fleet clusters
  • Kubernetes network policies to control connections between Pods
  • Fine-grained service access control for Cloud Service Mesh
  • The GKE security posture dashboard to monitor your clusters' security posture.

Monitor fleet security posture

The GKE security posture dashboard helps you assess and manage your fleet's GKE clusters for security concerns and get actionable recommendations to fix them. Capabilities include:

The dashboard displays discovered concerns for all of the clusters in the selected fleet and for any standalone GKE clusters in the selected project.

Configure security posture dashboard features at fleet level

If you have enabled GKE Enterprise, you can manage some security dashboard features at fleet level, so that all the clusters in your fleet can use the same default settings for security observability.

Fleet security resources

Learn more about fleet security features in the following guides:

Monitor cluster compliance with industry standards

The GKE Compliance dashboard gives you an overview of your cluster's compliance with industry standards such as CIS GKE Benchmark and the Kubernetes Pod Security Standards. The dashboard automates compliance reporting, provides a detailed list of any concerns found as well as actionable recommendations.

Manage cluster policies

Policy Controller enables the enforcement of fully programmable policies for your fleet clusters. These policies act as "guardrails" and prevent any changes to the configuration of the Kubernetes API from violating security, operational, or compliance controls.

Learn more about what you can do with Policy Controller in the Policy Controller documentation.