Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure CSPM for GKE

Google Kubernetes Engine (GKE) uses the Kubernetes policy templates listed in Policy Templates for CSPM. The pertinent templates use the prefix GKE. 

Skyhigh CASB supports the CIS Kubernetes Benchmark v1.4.1-07-17-2019 specification for auditing CSP-managed clusters.

For GKE clusters, make sure the API server endpoint is enabled for public access. (This is the default setting.)

If public access is restricted to the limited IP address for security reasons, then you must add the Skyhigh CASB source IP address to the filter to allow access. Clusters enabled with private access cannot be audited by Skyhigh CASB. For details, see CSPM Allow List IP Addresses

In addition to the roles Project Viewer and IAM Security Reviewer, Kubernetes secondary node policies require the minimal privilege container.nodes.proxy. You can create a custom role with this privilege.

You can also use GCP predefined roles like Kubernetes Engine Admin and Kubernetes Engine Developer, which contain container.nodes.proxy, but note that these roles contain many more additional permissions that are not required.

The custom roles must have the below permissions:

  • resourcemanager.projects.get
  • storage.buckets.get
  • storage.buckets.getIamPolicy
  • storage.buckets.list
  • storage.objects.get
  • storage.objects.getIamPolicy
  • storage.objects.list

To configure CSPM for GKE, you must run the Configuration Audit scan for GCP.

For configuration instructions, see Integrate GCP with Skyhigh CASB

GCP does not expose any methods to obtain the GKE cluster control plane configurations or arguments dynamically. These configurations are relevant to evaluate some of the GKE primary node policies, such as API Server, Controller Manager, and Scheduler.

For this reason, all GKE clusters (regardless of version) for these policies are displayed based on the benchmark results published in the GCP documentation for Kubernetes v 1.15 in CIS Benchmarks

If you have configured GKE with values other than the defaults, the policy evaluations might not be correct. These limitations are not applicable to PSP and Kubelet server (secondary node) policies. 

  • Was this article helpful?