Google GKE Security Features
Google GKE Security Features
Google Kubernetes Engine provides comprehensive security features leveraging Google Cloud's security infrastructure. GKE Autopilot mode enforces security best practices by default, including workload identity, shielded nodes, and hardened configurations. Even in Standard mode, GKE provides strong security defaults that organizations can enhance based on specific requirements.
Workload Identity represents GKE's approach to pod-level Google Cloud authentication. By binding Kubernetes service accounts to Google service accounts, workloads receive Google Cloud credentials without managing keys. This integration enables fine-grained access control to Google Cloud resources while maintaining security best practices.
# GKE cluster with comprehensive security
resource "google_container_cluster" "primary" {
name = "production-cluster"
location = "us-central1"
# Use release channel for automatic updates
release_channel {
channel = "STABLE"
}
# Private cluster configuration
private_cluster_config {
enable_private_nodes = true
enable_private_endpoint = false
master_ipv4_cidr_block = "172.16.0.0/28"
}
# Authorized networks for API access
master_authorized_networks_config {
cidr_blocks {
cidr_block = "10.0.0.0/8"
display_name = "internal"
}
}
# Workload Identity
workload_identity_config {
workload_pool = "project-id.svc.id.goog"
}
# Binary Authorization
binary_authorization {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
# Database encryption
database_encryption {
state = "ENCRYPTED"
key_name = "projects/project-id/locations/us-central1/keyRings/cluster-keys/cryptoKeys/etcd-key"
}
# Enable network policy
network_policy {
enabled = true
provider = "CALICO"
}
# Shielded nodes
node_config {
shielded_instance_config {
enable_secure_boot = true
enable_integrity_monitoring = true
}
}
# Security monitoring
cluster_telemetry {
type = "ENABLED"
}
# Maintenance window
maintenance_policy {
recurring_window {
start_time = "2023-11-20T00:00:00Z"
end_time = "2023-11-20T04:00:00Z"
recurrence = "FREQ=WEEKLY;BYDAY=SU"
}
}
}
---
# Workload Identity binding
apiVersion: v1
kind: ServiceAccount
metadata:
name: app-ksa
namespace: production
annotations:
iam.gke.io/gcp-service-account: [email protected]
---
# Binary Authorization policy
apiVersion: binaryauthorization.grafeas.io/v1beta1
kind: Policy
metadata:
name: production-policy
spec:
globalPolicyEvaluationMode: ENABLE
defaultAdmissionRule:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBy:
- projects/project-id/attestors/prod-attestor
# Allow Google system images
clusterAdmissionRules:
us-central1.production-cluster:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBy:
- projects/project-id/attestors/prod-attestor
# Exempt system namespaces
kubernetesNamespaceAdmissionRules:
kube-system:
evaluationMode: ALWAYS_ALLOW
kube-public:
evaluationMode: ALWAYS_ALLOW
gke-system:
evaluationMode: ALWAYS_ALLOW
Binary Authorization provides admission control based on image signatures and attestations. This feature ensures only verified images run in GKE clusters, protecting against supply chain attacks. Integration with Container Analysis provides vulnerability scanning results as attestations, enabling policy-based deployment decisions based on security posture.