This page explains how to configure fleet-level default settings for the Google Kubernetes Engine (GKE) security posture dashboard. The security posture dashboard provides you with opinionated and actionable recommendations to improve your clusters' security posture. You can enable settings for the security posture dashboard at the fleet level.
You can create fleet-level defaults for the security posture dashboard settings of Kubernetes security posture scanning.
This page is for Security specialists who want to implement first-party vulnerability detection solutions across a fleet of clusters. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE user roles and tasks.
Before reading this page, ensure that you're familiar with the general overview of workload vulnerability scanning.
To learn how to configure these settings for individual clusters, see the following resources:
- Automatically audit workloads for configuration issues
- Automatically scan workloads for known vulnerabilities (Deprecated)
Configure fleet-level defaults
This section describes how to configure security posture dashboard features as fleet-level defaults. Any new clusters that you register to a fleet during cluster creation have your specified security posture features enabled. The fleet-level default settings that you configure take priority over any default GKE security posture settings. To view the default settings that apply to your edition of GKE, see the Cluster-specific features table.
To configure fleet-level defaults for security posture, complete the following steps:
Console
- In the Google Cloud console, go to the Feature Manager page. 
- In the Security Posture pane, click Configure. 
- Review your fleet-level settings. All new clusters you register to the fleet inherit these settings. 
- Optional: To change the default settings, click Customize fleet settings. In the Customize fleet default configuration dialog that appears, do the following: - For Configuration audit, choose if configuration auditing should be enabled or disabled.
- For Vulnerability scanning (Deprecated), select the level of vulnerability scanning that you want; Disabled, Basic, or Advanced (recommended).
- Click Save.
 - If you later disable fleet-level configuration for these features, your current workloads in existing member clusters are still scanned and you can see the security concerns on the security posture dashboard. However, any new clusters you create in that fleet won't be scanned for concerns, unless you enable the security posture features on them individually. 
- To apply the setting to new clusters, click Configure. 
- In the confirmation dialog, click Confirm. 
- Optional: Sync existing clusters to the default settings: - In the Clusters in the fleet list, select the clusters that you want to sync.
- Click Sync to fleet settings and click Confirm in the confirmation dialog that appears. This operation can take a few minutes to complete.
 
gcloud
Make sure that you have gcloud CLI version 455.0.0 or later.
Configure defaults for a new fleet
You can create an empty fleet with the security posture dashboard features you want enabled.
- To create a fleet with workload configuration auditing enabled, run the following command: - gcloud container fleet create --security-posture standard
Configure defaults for an existing fleet
- To enable workload configuration auditing on an existing fleet, run the following command: - gcloud container fleet update --security-posture standard
Disable security posture dashboard features at fleet level
- To disable workload configuration auditing, run the following command: - gcloud container fleet update --security-posture disabled
- To disable workload vulnerability scanning, run the following command: - gcloud container fleet update --workload-vulnerability-scanning disabled
If you disable fleet-level configuration for these features, your current workloads in existing member clusters are still scanned and you can see the security concerns on the security posture dashboard. However, any new clusters you create in that fleet won't be scanned for concerns, unless you enable the security posture features on them individually.
What's next
- Learn about the range of Google Cloud features to secure your clusters and workloads.
- Learn how workload configuration auditing detects common security configuration concerns.