Book a demo

GKE

Google Kubernetes Engine (GKE) is a managed Kubernetes service that simplifies the deployment, scaling, and management of containerized applications in Google Cloud. It abstracts infrastructure management while providing flexibility and control over Kubernetes clusters.

Integrating OX Security with GKE gives your security team real-time visibility into what’s running in your clusters and improves workload protection, as follows:

  • Workload-Level Scanning: OX identifies which container images are actively running in your Kubernetes workloads, such as deployments and pods, and scans those confirmed to be in use. This improves precision and reduces unnecessary overhead.

  • Runtime Context: OX enriches security findings across your environment with runtime metadata. If a vulnerability is found in code or an image that is actually deployed and running, the issue is flagged with additional severity context. This context supports more informed decision-making and triage.

  • Risk Prioritization Support: You can prioritize issues based on whether they are actively running, filter findings by runtime status, or create custom policies to adjust severity accordingly.

When you connect your GKE clusters to OX Security, the platform adds cloud-native context to enhance visibility and prioritization across the system:

  • The Applications page is enriched with cloud deployment details, including Application Flow and Tags that reflect Kubernetes deployment and internet exposure.

  • Issues from SAST, SCA, and container scanning are enhanced with Kubernetes reachability severity factors, based on real-time cloud deployment data.

  • The Attack Path tab in Issues is updated to show full cloud reachability, helping you understand how issues can be exploited in your Kubernetes environment.

  • Artifact integrity issues are raised for images that are running in the cluster but originate from untrusted or unknown sources.

  • The Artifact BOM page now includes cloud deployment visibility, helping track where and how artifacts are used across clusters.

  • OX scans specific versions of container images found in the cloud, not just the latest versions available in your registry.

Prerequisites

  • A Google Cloud project with IAM permissions to:

    • Create service accounts

    • Manage service account keys

  • Enable required APIs (e.g., Compute Engine API, IAM API, Kubernetes Engine API).

  • Optional: gcloud CLI installed and configured.

  • A running GKE cluster in the selected GCP project, with Kubernetes API enabled.

  • Authorized OX static IP address to access your GKE: 34.241.46.143, 34.247.61.212.

Creating a new service account

  1. Log in to the Google Cloud Console.

  2. Select your GKE project.

  3. Navigate to IAM & Admin.

  4. Select Service Accounts.

  1. Select + Create Service Account.

  1. Add a meaningful name and an optional description.

  2. Select Create and Continue.

  1. Grant the Viewer role to the new service account and select Done. The new service account appears in the Service accounts table.

  1. In the Actions column, select the newly created service account, click the three dot menu related to it, and select Manage keys.

  2. In the Keys pane, select Add key > Create new key.

  1. Select JSON and then select Create. The file is automatically downloaded to your system.

  2. Securely store the JSON key file.

  3. To encode the Key File in Base64:

  • On macOS/Linux, run: base64 <filename>.json

  • On Windows, use a tool or plugin to convert the JSON to a one-line Base64 string.

Note: The Base64 encoding ensures multi-line keys are compacted into a single string.

  1. To enable required Google Cloud APIs, in the Google Cloud Console:

    1. Navigate to APIs & Services.

    2. In the left pane, select Library.

    3. Search for and enable the following APIs:

      • Compute Engine API (compute.googleapis.com)

      • Kubernetes Engine API (container.googleapis.com)

      • Cloud Resource Manager API (cloudresourcemanager.googleapis.com)

d. Alternatively, use the gcloud CLI to enable all the required APIs at once:

gcloud services enable compute.googleapis.com \
    apikeys.googleapis.com \
    artifactregistry.googleapis.com \
    bigquery.googleapis.com \
    sqladmin.googleapis.com \
    storage.googleapis.com \
    dns.googleapis.com \
    containerregistry.googleapis.com \
    container.googleapis.com \
    iam.googleapis.com \
    dataproc.googleapis.com \
    cloudkms.googleapis.com \
    logging.googleapis.com

e. To verify the APIs were enabled, run:

gcloud services list --enabled

Connecting to GKE

  1. In the Google Cloud Console, locate the ID of the project in which you have created a service account.

  1. In the OX Security platform, go to Connectors and search for GKE.

  1. Select GKE and set the following parameters in the Configure your GKE credentials dialog.

Parameter
Description

Project ID

Copy the value from the step 1

API Token

Base64-encoded key

  1. Select CONNECT. A success message appears.

  2. To select specific repositories for scanning by OX platform, select the gear icon next to DELETE.

  3. Select the clusters you want to protect.

  1. Select SAVE.

Multi project access

To reuse one service account across multiple GKE projects:

  1. Create a new service account.

  2. In the source project, copy the email of the service account.

  1. For each target project, navigate to IAM & Admin and select Grant Access.

  1. In the New principals box, add the copied email address.

  2. In the Role box, select Viewer and then click Save.

  3. In the OX Security platform, go to Connectors and search for GKE.

  4. Select GKE and set the following parameters in the Configure your GKE credentials dialog.

Parameter
Description

Project ID

Add *

API Token

Base64-encoded key

  1. Select CONNECT. A success message appears.

  2. To select specific repositories for scanning by OX platform, select the gear icon next to DELETE.

  3. Select the clusters you want to protect from all the projects you have connected to OX.

  1. Select SAVE.

Last updated