googlecloudplatform/gke-workload-security
skills/gke-workload-security/SKILL.md
Workflows for auditing and hardening the security of GKE workloads.
$ install --global
skillsauthnpx skillsauth add googlecloudplatform/gke-mcp gke-workload-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
This skill has been flagged as suspicious. Review the scan results before using.
2 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
2
Scanners Passed
9
Scanners in report
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Suspicious
TrivyContainer and dependency vulnerability scanner
70%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 9:10 PM43.2s4 files scanned
SKILL.md
- name:
- gke-workload-security
- description:
- Workflows for auditing and hardening the security of GKE workloads.
GKE Workload Security
This skill provides workflows and best practices for securing GKE workloads. It covers security auditing, Identity and Access Management (Workload Identity), Network Security (Network Policies), and Node Security.
Workflows
1. Security Audit
Assess the current security posture of your cluster using the provided audit script.
Capabilities:
- Checks for Workload Identity.
- Verifies Network Policy is enabled.
- Checks if Shielded Nodes are enabled.
- Checks if Binary Authorization is enabled.
- Checks for Private Cluster configuration.
Command:
./scripts/audit_cluster.sh <cluster-name> <region> <project-id>
2. Configure Workload Identity
Workload Identity allows Kubernetes Service Accounts (KSAs) to impersonate Google Service Accounts (GSAs). This is the recommended method for workloads to access Google Cloud APIs.
Steps:
-
Create Namespace and KSA:
kubectl create namespace workload-identity-test-ns kubectl create serviceaccount <ksa-name> \ --namespace workload-identity-test-ns -
Bind KSA to GSA:
gcloud iam service-accounts add-iam-policy-binding <gsa-name>@<project-id>.iam.gserviceaccount.com \ --role roles/iam.workloadIdentityUser \ --member "serviceAccount:<project-id>.svc.id.goog[workload-identity-test-ns/<ksa-name>]" -
Annotate KSA:
kubectl annotate serviceaccount <ksa-name> \ --namespace workload-identity-test-ns \ iam.gke.io/gcp-service-account=<gsa-name>@<project-id>.iam.gserviceaccount.com -
Verify Example Pod: Use existing asset
assets/workload-identity-pod.yamlto test the configuration. Update the<ksa-name>in the file first.kubectl apply -f ./assets/workload-identity-pod.yaml -n workload-identity-test-ns
3. Implement Network Policies
Control traffic flow between Pods using Network Policies. By default, all traffic is allowed.
Enable Network Policy Enforcement:
gcloud container clusters update <cluster-name> \
--update-addons=NetworkPolicy=ENABLED \
--region <region>
[!NOTE] If your cluster uses Dataplane V2 (
--enable-dataplane-v2), Network Policy enforcement is built-in and this step is not required (and may fail).
Apply Default Deny Policy: Isolate namespaces by denying all ingress and egress traffic by default.
Replace <target-namespace> with the namespace you want to isolate.
kubectl apply -f ./assets/default-deny-netpol.yaml -n <target-namespace>
4. Enable Shielded Nodes
Ensure nodes are running with verifiable integrity.
Command:
gcloud container clusters update <cluster-name> \
--enable-shielded-nodes \
--region <region>
5. GKE Sandbox (gVisor)
Run untrusted workloads in a sandbox for extra isolation.
Enable GKE Sandbox:
gcloud container clusters update <cluster-name> \
--enable-gke-sandbox \
--region <region>
Run a Sandboxed Pod:
Add runtimeClassName: gvisor to your Pod spec.
6. Pod Security Standards
Enforce security policies on namespaces using labels.
Enforce Restricted Profile:
kubectl label --overwrite ns <namespace> \
pod-security.kubernetes.io/enforce=restricted \
pod-security.kubernetes.io/enforce-version=latest
[!NOTE] Using
latestensures you use the policies corresponding to the cluster's current version. You can pin it to a specific version (e.g.,v1.30) to lock down the namespace to policies of a specific release.
7. Secret Manager Integration (CSI Driver)
Mount secrets from Google Cloud Secret Manager directly as volumes in your pods.
Prerequisites: Secret Manager CSI driver must be enabled on the cluster.
Example SecretProviderClass:
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: my-secret-provider
spec:
provider: gcp
parameters:
secrets: |
- resourceName: "projects/<project-id>/secrets/my-secret/versions/latest"
fileName: "my-secret-file"
Example Pod Spec excerpt:
spec:
containers:
- name: my-app
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "my-secret-provider"
8. Enable Network Policy Logging
If using GKE Dataplane V2, you can log allowed and denied connections.
Steps:
- Configure the
NetworkLoggingcustom resource.
Example NetworkLogging Manifest:
apiVersion: networking.gke.io/v1alpha1
kind: NetworkLogging
metadata:
name: default
spec:
cluster:
allow:
log: true
delegate: true
deny:
log: true
delegate: true
This will log connection details to Cloud Logging.
Best Practices
- Least Privilege: Always use Workload Identity with minimal IAM roles. Avoid using Node default service accounts.
- Network Isolation: Use Network Policies to restrict Pod-to-Pod communication. Enable Network Policy Logging for visibility.
- Image Security: Use Binary Authorization to ensure only trusted images are deployed.
- Secret Management: Use Secret Manager CSI driver instead of default Kubernetes secrets for sensitive data.
- Pod Security: Enforce
baselineorrestrictedPod Security Standards on all non-system namespaces. - Policy Enforcement: Consider using Policy Controller (Gatekeeper) to enforce custom security and compliance policies across the cluster.
Related Skills
googlecloudplatform/gke-ai-troubleshooting-jobset-interruption
data-ai
VerifiedTrustedCommunity
Systematically diagnose GKE JobSet interruptions, restarts, and preemptions for AI/ML training workloads. Identifies preemption events, maintenance interruptions, bad host VMs, unhealthy pods, and coordinator worker failures.
158SKILL.mdUpdated Jun 4, 2026
googlecloudplatform/gke-ai-troubleshooting-tpu-connection-failure-vbar-oom
development
VerifiedTrustedCommunity
Diagnose and prevent `vbar_control_agent` segfaults and OOMs caused by race conditions during TPU device resets and frequent metrics collection (e.g. every 3s). Use when TPU slice initialization fails or `vbar_control_agent` crashes on TPU v6e nodes.
148SKILL.mdUpdated May 5, 2026
googlecloudplatform/gke-ai-troubleshooting-skill-creation-guide
development
VerifiedTrustedCommunity
Expert instructions for building high-quality GKE troubleshooting skills. Codifies Step 0 context rules, zero-hallucination signatures, and explicit LQL/PromQL query requirements.
148SKILL.mdUpdated May 2, 2026
googlecloudplatform/gke-productionize
tools
VerifiedTrustedCommunity
Assists in preparing applications and clusters on GKE for production.
148SKILL.mdUpdated Apr 18, 2026