Skip to content

GKE Security Overview

Google Kubernetes Engine (GKE) provides many ways to help secure your workloads. Protecting workloads in GKE involves many layers of the stack, including container images, the container runtime, the cluster network, and access to the cluster API server.

Security Layers

It's best to take a layered approach to protecting your clusters and workloads, applying the principle of least privilege to all levels.

Authentication and Authorization

Account Types

TypeManaged ByUse Case
User AccountsGoogle CloudHuman users (Google Accounts)
Google Cloud Service AccountsGoogle CloudCross-project access, Google Cloud resource access
Kubernetes Service AccountsKubernetesPod-level access within cluster

Authorization Methods

MethodScopeDescription
IAMProject/OrganizationGoogle Cloud resource access
RBACCluster/NamespaceKubernetes resource access

Best Practice: Disable legacy Attribute Based Access Control (ABAC) so that Kubernetes RBAC and IAM are the sources of truth.

Control Plane Security

Control Plane Protection Methods

MethodDescription
DNS-based EndpointUse IAM and VPC Service Controls for identity and network-aware policies (recommended)
Authorized NetworksRestrict control plane access to specific IP ranges
Credential RotationRotate SSL certificates and cluster CA regularly

Node Security

Container-Optimized OS Features

FeatureDescription
Locked-down firewallMinimal network exposure
Read-only filesystemPrevents unauthorized modifications
Limited user accountsDisabled root login

Node Protection

FeatureDescriptionUse Case
Automatic UpgradesPatch OS regularlySecurity updates
GKE SandboxIsolate untrusted workloadsMulti-tenant, SaaS, security research
Workload IdentityLock down instance metadataProtect node service account keys

Network Security

Network Policies

By default, all Pods can communicate with each other. Network policies allow you to:

Best Practice: Apply default deny policies for both ingress and egress of every Pod, then explicitly allow required traffic.

Load Balancer Filtering

yaml
# Example: Restrict access by source IP
apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  type: LoadBalancer
  loadBalancerSourceRanges:
    - 10.0.0.0/8
    - 192.168.1.0/24
  ports:
    - port: 80
      targetPort: 8080

Workload Security

Security Context Options

SettingDescription
runAsUser/runAsGroupUser and group to run as
capabilitiesAvailable Linux capabilities
allowPrivilegeEscalationControl privilege escalation
readOnlyRootFilesystemPrevent filesystem modifications

Pod Security Standards

LevelDescription
PrivilegedUnrestricted
BaselineMinimally restrictive, prevents known privilege escalations
RestrictedHeavily restricted, following hardening best practices

Accessing Google Cloud Resources

MethodSecurityRecommendation
Workload Identity FederationMost secureRecommended
Node Service AccountLess secureNot compatible with GKE Sandbox
Service Account JSON KeyLeast secureStrongly discouraged

Binary Authorization

Binary Authorization ensures:

  • Internal safeguard processes completed before deployment
  • Container images conform to policies with Continuous Validation (CV)

Audit Logging

Built-in Security Measures

Autopilot Security

Autopilot clusters apply security settings based on best practices:

FeatureStatus
Container-Optimized OSEnabled
Workload IdentityAlways enabled
Shielded GKE NodesEnabled
Security hardeningPre-configured

Standard Cluster Security

RestrictionDescription
System workload ServiceAccountCannot be updated
cluster-admin bindingCannot bind to anonymous/unauthenticated groups

Security Checklist

LayerKey Actions
AuthenticationUse IAM, disable legacy ABAC
Control PlaneEnable authorized networks, use DNS endpoint
NodesUse Container-Optimized OS, enable Workload Identity
NetworkApply network policies, use internal load balancers
WorkloadsUse security contexts, enable Binary Authorization
AuditEnable audit logging, set up alerting

Last updated: December 2025

Built with VitePress & Mermaid diagrams