Skip to main content
McAfee MVISION Cloud

Configure Container Security for GKE

Google Kubernetes Engine (GKE) uses the Kubernetes policy templates listed in Policy Templates for Container Security. The pertinent templates use the prefix GKE. 

MVISION Cloud supports the CIS Kubernetes Benchmark v1.4.1-07-17-2019 specification for auditing CSP managed clusters.

For GKE clusters, make sure the API server endpoint is enabled for public access. (This is the default setting.)

If public access is restricted to the limited IP address for security reasons, then you must add the MVISION Cloud source IP address to the filter to allow access. Clusters enabled with private access cannot be audited by MVISION Cloud. For details, see Allow List IP Addresses for IaaS

In addition to the roles Project Viewer and IAM Security Reviewer, Kubernetes worker node policies require the minimal privilege container.nodes.proxy. You can create a custom role with this privilege.

You can also use GCP predefined roles like Kubernetes Engine Admin and Kubernetes Engine Developer, which contain container.nodes.proxy, but note that these roles contain many more additional permissions that are not required.

For configuration instructions, see Integrate GCP with MVISION Cloud

GCP does not expose any methods to obtain the GKE cluster control plane configurations or arguments dynamically. These configurations are relevant to evaluate some of the GKE Master node policies, such as API Server, Controller Manager, and Scheduler.

For this reason, all GKE clusters (regardless of version) for these policies are displayed based on the benchmark results published in the GCP documentation for Kubernetes v 1.15 in CIS Benchmarks

If you have configured GKE with values other than the defaults, the policy evaluations might not be correct. These limitations are not applicable to PSP and Kubelet server (worker node) policies. 

  • Was this article helpful?