Stay organized with collections Save and categorize content based on your preferences.
This page shows you how to automatically audit your workload configurations for security concerns and get actionable recommendations to improve the security posture of your Google Kubernetes Engine (GKE) Autopilot and Standard clusters. This guides you through how to enable workload configuration auditing, deploy a test workload, view and action configuration audit results, and disable workload configuration auditing. It also covers the pricing, requirements, and limitations of workload configuration auditing.
This page is for Security specialists who monitor the security of their GKE clusters and want to learn more about how to automatically audit workload configurations in GKE Autopilot and Standard clusters. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE user roles and tasks.
Before reading this page, because workload configuration auditing is a feature of the security posture dashboard, ensure that you're familiar with the following concepts:
PricingThe security posture dashboard is offered at no extra charge in GKE through the Container Security API.
Entries added to Cloud Logging use Cloud Logging pricing.
Before you beginBefore you start, make sure that you have performed the following tasks:
gcloud components update. Note: For existing gcloud CLI installations, make sure to set the compute/region property. If you use primarily zonal clusters, set the compute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.Enable the Container Security API.
Ensure that you have an Autopilot or Standard cluster that runs version 1.21 or later. To create a new cluster, see Creating an Autopilot cluster.
To get the permissions that you need to use workload configuration auditing, ask your administrator to grant you the Security Posture Viewer (roles/containersecurity.viewer) IAM role on your Google Cloud project. For more information about granting roles, see Manage access to projects, folders, and organizations.
This predefined role contains the permissions required to use workload configuration auditing. To see the exact permissions that are required, expand the Required permissions section:
Required permissionsThe following permissions are required to use workload configuration auditing:
resourcemanager.projects.get resourcemanager.projects.list containersecurity.locations.list containersecurity.locations.get containersecurity.clusterSummaries.list containersecurity.findings.listYou might also be able to get these permissions with custom roles or other predefined roles.
Workload configuration auditing is enabled by default in new Autopilot and Standard clusters running version 1.27 and later. You can also manually enable this feature using the gcloud CLI or the Google Cloud console.
Enable configuration auditing on an existing cluster gcloudUpdate the cluster:
gcloud container clusters update CLUSTER_NAME \
--location=CONTROL_PLANE_LOCATION \
--security-posture=standard
Replace the following:
CLUSTER_NAME: the name of your cluster.CONTROL_PLANE_LOCATION: the location of the control plane of your cluster. Provide a region for regional Standard and Autopilot clusters, or a zone for zonal Standard clusters.Go to the Security Posture page in the Google Cloud console.
Go to Security PostureIf you use Google Kubernetes Engine (GKE) Enterprise edition to manage fleets of clusters, you can also configure fleet-level configuration auditing settings that apply to all member clusters. For instructions, see Configure GKE security posture dashboard features at fleet-level.
Deploy a test workloadDeploy a sample application that intentionally violates the Pod Security Standards.
Save the following manifest as misconfig-sample.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloweb
labels:
app: hello
spec:
selector:
matchLabels:
app: hello
tier: web
template:
metadata:
labels:
app: hello
tier: web
spec:
containers:
- name: hello-app
image: us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0
ports:
- containerPort: 8080
securityContext:
runAsNonRoot: false
resources:
requests:
cpu: 200m
Deploy the application to your cluster:
kubectl apply -f misconfig-sample.yaml
If you want to try other violations, modify misconfig-sample.yaml with the corresponding "bad" configuration.
The initial audit takes up to 15 minutes to return results. GKE displays the results on the security posture dashboard and automatically adds entries to the cluster logs.
View resultsTo see an overview of discovered concerns across your project's clusters and workloads, do the following:
Go to the Security Posture page in the Google Cloud console.
Click the Concerns tab.
In the Filter concerns pane, in the Concern type section, select the Configuration checkbox.
To view detailed information about a specific configuration concern, click the row containing that concern.
The Configuration Concern pane shows the following information:
GKE adds entries to the _Default log bucket in Logging for each discovered concern. These logs are only retained for a specific period. For details, see Logs retention periods.
In the Google Cloud console, go to the Logs Explorer:
Go to Logs ExplorerIn the Query field, specify the following query:
resource.type="k8s_cluster" jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding" jsonPayload.type="FINDING_TYPE_MISCONFIG"
Click Run query.
To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, see Configure log-based alerts.
Clean upDelete the sample workload that you deployed.
kubectl delete deployment helloweb
Optionally, delete the cluster that you used.
gcloud container clusters delete CLUSTER_NAME \
--location=CONTROL_PLANE_LOCATION
You can disable workload configuration auditing using either the gcloud CLI or the Google Cloud console.
gcloudRun the following command:
gcloud container clusters update CLUSTER_NAME \
--location=CONTROL_PLANE_LOCATION \
--security-posture=disabled
Replace the following:
CLUSTER_NAME: the name of your cluster.CONTROL_PLANE_LOCATION: the location of the control plane of your cluster. Provide a region for regional Standard and Autopilot clusters, or a zone for zonal Standard clusters.Go to the Security Posture page in the Google Cloud console.
Go to Security Posturekube-system namespace.The security posture dashboard supports up to 150,000 active workload configuration auditing findings for each cluster. When the number of findings for a cluster exceeds this maximum, the security posture dashboard stops showing configuration findings for that cluster.
To resolve this issue, use the logs in Logging to identify configuration issues and deploy updated manifests. When the number of configuration findings is less than 150,000, the security posture dashboard starts displaying findings for the cluster.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-12 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-12 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4