GKE security best practices

This document describes a typical Google Kubernetes Engine (GKE) architecture in Google Cloud. It also lists the security best practices that are applicable to GKE workloads.

Architecture

The following diagram shows the Google Cloud services in a typical GKE deployment.

Sample architecture for GKE workloads.

This diagram includes the following:

  • GKE is a managed implementation of the Kubernetes open source container orchestration platform that lets you run containerized apps. GKE clusters include your application pods and Policy Controller. Policy Controller helps you enforce policies on your Kubernetes clusters.

  • Artifact Registry streamlines your container and app development and deployment process, improves collaboration, and helps improve the security and reliability of your apps.

  • Cloud Audit Logs tracks the actions that your users take in your environment, which enhances your troubleshooting, auditing, and incident response capabilities.

  • Cloud Billing dashboards and alerts let you review usage and billing of GKE workloads.

  • Cloud Build lets you build, test, and deploy a serverless CI/CD platform on Google Cloud.

  • Cloud Identity unifies identity, access, application, and management for Google Cloud.

  • Cloud Key Management Service creates and manages encryption keys.

  • Cloud Run functions automates tasks, triggers jobs, integrates with other services, and builds event-driven development pipelines.

  • Cloud Service Mesh lets Kubernetes services communicate with each other.

  • Cloud Storage stores the data that's required for your containers and apps to run.

  • Cloud DNS registers, manages, and serves your domain.

  • Identity and Access Management (IAM) controls who can perform specific actions on your GKE workload resources, such as creating, editing, or deleting them.

  • Organization Policy Service centrally manages and enforces policies across your Google Cloud environment. Organization Policy helps to ensure consistent configuration and security compliance across the projects and resources within your organization.

  • Pub/Sub enables efficient communication and automation within your workflows.

  • Resource Manager helps you group and manage the logical components of your GKE workloads.

  • Secret Manager helps you protect the sensitive data and credentials that are used in GKE projects.

  • Security Command Center helps you protect your cloud organization, your GKE workloads, and the data that you store on Google Cloud. Security Command Center provides the following:

    • Centralized security management
    • Threat detection and incident response
    • Automated security assessments
    • Compliance and regulatory reporting
    • Security recommendations and best practices

  • Virtual Private Cloud (VPC) isolates your GKE resources from the internet in a secure environment. This network configuration helps protect sensitive data and workloads from unauthorized access and potential cyberattacks.

  • Cloud VPN or Cloud Interconnect lets you establish a secure network connection between your on-premises infrastructure and your GKE environment. Cloud VPN or Cloud Interconnect helps enable seamless data transfer and communication between your private network and Google Cloud resources. Consider this integration for scenarios like accessing on-premises data for model training or deploying models to on-premises resources for inference.

Best practices for GKE workloads

This section provides links to the best practices for workloads that use GKE.

What's next