Skip to main content
Securing workloads on Google Kubernetes Engine (GKE) involves a multi-layered strategy that spans container images, runtimes, cluster networking, and API server access. Applying the principle of least privilege ensures users and applications receive only the permissions they need.

Shared Responsibility Model Overview

The image illustrates a shared responsibility model between Google and the user, detailing responsibilities such as Kubernetes distribution, node OS, and control plane for Google, and nodes and workloads for the user.
This diagram highlights how Google secures the underlying infrastructure and control plane, while customers handle cluster configuration and workload security.

Google Cloud Responsibilities

Google manages and hardens the infrastructure that underpins GKE clusters, including physical hardware, firmware, operating systems, storage, and networking. Core responsibilities include:
  • Encrypting data at rest and in transit
  • Designing custom hardware and enforcing physical security
  • Preventing unauthorized modifications with Shielded Nodes
  • Following a secure software development lifecycle
Google also hardens and patches:
  • Node OS images (Container-Optimized OS and Ubuntu)
  • Kubernetes node components and the GKE control plane
  • Control plane VMs (single-tenant Compute Engine instances)

Control Plane Components Managed by Google

ComponentFunction
API ServerValidates and configures Kubernetes API objects
SchedulerAssigns pods to nodes based on resource needs
Controller ManagerEnforces desired cluster state
Cluster Certificate AuthorityIssues and rotates TLS certificates
Secrets EncryptionEncrypts Kubernetes Secrets at rest
Audit LoggingCaptures cluster activity for compliance
Container Threat Detection is available through Security Command Center for real-time monitoring of container vulnerabilities.
The image outlines Google's responsibilities, including protecting infrastructure, hardening and patching, threat detection, control plane management, Google Cloud integrations, and restricted administrative access.

Customer Responsibilities

Customers must secure and manage everything they deploy in GKE:
  • Application source code, build pipelines, and container images
  • RBAC/IAM policies to control cluster access
  • Container workloads (Pods, Deployments) and associated data
  • Ensuring application availability, performance, and security

Cluster Lifecycle Management

TaskRecommendation
Version upgradesEnable auto-upgrade (default) or apply manual upgrades
Patch managementStay current with GKE release notes and security bulletins
Feature adoptionTest new features in non-production clusters
Running unsupported cluster versions exposes you to known vulnerabilities. Always upgrade to a supported GKE version.

Monitoring and Incident Response

  • Use the Security Posture Dashboard and Cloud Operations suite
  • Configure alerts for suspicious activity and resource anomalies
  • Provide environmental details to Google Support when troubleshooting
The image outlines customer responsibilities, including workload management, cluster management, monitoring and incident response, and providing environmental details.

References

Watch Video