GCP and GKE

Google Kubernetes Engine (GKE)

Google Kubernetes Engine (GKE) is a managed Kubernetes service that simplifies the deployment, scaling, and management of containerized applications in Google Cloud. It abstracts infrastructure management while providing flexibility and control over Kubernetes clusters.

Integrating OX Security with GKE gives your security team real-time visibility into what’s running in your clusters and improves workload protection, as follows:

• Workload-Level Scanning: OX identifies which container images are actively running in Kubernetes workloads, such as deployments and pods, and scans those confirmed to be in use. This improves precision and reduces unnecessary overhead.

• Runtime Context OX enriches security findings across your environment with runtime metadata. When a vulnerability is found in code or an image that is deployed and running, the issue is flagged with additional severity context to support informed triage and decision-making.

• Risk Prioritization Support You can prioritize issues based on runtime status, filter findings by whether they are actively running, or create custom policies that adjust severity accordingly.

Google Cloud Platform (GCP) support for GKE

To support GKE integration, OX also connects to Google Cloud Platform (GCP). The GCP connector is required to enable GKE connectivity and provides cloud-level context for Kubernetes workloads.

The GCP connector is used to:

• Authenticate access to your Google Cloud project as a prerequisite for connecting GKE.

• Enrich Kubernetes data with cloud-level information, including whether deployed workloads are internet exposed.

• Generate a cloud-based bill of materials (Cloud BOM) that reflects assets deployed in your cloud environment.

Enriched visibility across OX

When you connect your GKE clusters to OX Security, the platform adds context to enhance visibility and prioritization across the system:

• The Applications page is enriched with cloud deployment details, including Application Flow and Tags that reflect Kubernetes deployment and internet exposure.

• Issues from SAST, SCA, and container scanning are enhanced with Kubernetes reachability severity factors based on real-time cloud deployment data.

• The Attack Path tab in Active Issues reflects full cloud reachability, helping you understand how issues can be exploited in your Kubernetes environment.

• Artifact integrity issues are raised for images that are running in the cluster but originate from untrusted or unknown sources.

• The Artifact BOM page includes cloud deployment visibility, helping track where and how artifacts are used across clusters.

• OX scans the specific versions of container images found in the cloud, not just the latest versions available in your registry.

Prerequisites

• A Google Cloud project with IAM permissions to:

  • Create service accounts

  • Manage service account keys

• Enable required APIs (e.g., Compute Engine API, IAM API, Kubernetes Engine API).

• Optional: gcloud CLI installed and configured.

• A running GKE cluster in the selected GCP project, with Kubernetes API enabled.

• Authorized OX static IP address to access your GKE: 108.128.213.11, 34.247.61.212.

Step 1: Create a new service account [Google]

1. Log in to the Google Cloud Console.

2. Select your GKE project.

3. Navigate to IAM & Admin.

4. Select Service Accounts.

1. Select + Create Service Account.

1. Add a meaningful name and an optional description.

2. Select Create and Continue.

1. Grant the Viewer role to the new service account and select Done. The new service account appears in the Service accounts table.

1. In the Actions column, select the newly created service account, click the three dot menu related to it, and select Manage keys.

2. In the Keys pane, select Add key > Create new key.

1. Select JSON and then select Create. The file is automatically downloaded to your system.

2. Securely store the JSON key file.

3. To encode the Key File in Base64:

• On macOS/Linux, run: base64 <filename>.json

• On Windows, use a tool or plugin to convert the JSON to a one-line Base64 string.

Note: The Base64 encoding ensures multi-line keys are compacted into a single string.

1. To enable required Google Cloud APIs, in the Google Cloud Console:

   1. Navigate to APIs & Services.

   2. In the left pane, select Library.

   3. Search for and enable the following APIs:

      • Compute Engine API (compute.googleapis.com)

      • Kubernetes Engine API (container.googleapis.com)

      • Cloud Resource Manager API (cloudresourcemanager.googleapis.com)

      
   4. Alternatively, use the gcloud CLI to enable all the required APIs at once:

e. To verify the APIs were enabled, run:

Step 2: Connect to GCP

1. In the Google Cloud Console, locate the ID of the project in which you have created a service account.

1. In the OX Security platform, go to Connectors and search for GCP.

1. Select GCP and set the following parameters in the Configure your GCP credentials dialog.

1. Select CONNECT. A success message appears.

Multi-project access

To reuse one service account across multiple GCP projects:

1. Create a new service account.

2. In the source project, copy the email of the service account.

1. For each target project, navigate to IAM & Admin and select Grant Access.

1. In the New principals box, add the copied email address.

2. In the Role box, select Viewer and then click Save.

3. In the OX Security platform, go to Connectors and search for GCP.

4. Select GCP and set the following parameters in the Configure your GCP credentials dialog.

1. Select CONNECT. A success message appears.

Step 3: Connect to GKE

After you configure the GCP connector, you can connect your GKE clusters. The GKE connector does not require separate credentials. Instead, it automatically uses the credentials you created for GCP, because both connectors rely on the same authentication format and access scope within your Google Cloud project.

Configuring GKE is a short process. Once the GCP connector is active and the required services are enabled in your Google Cloud project, you only need to select your cluster and complete the connection.

When you connect GKE, OX retrieves metadata from your Kubernetes clusters and enriches your environment with workload-level and runtime insights.

To connect to GKE:

1. In the OX Security platform, go to Connectors and search for GKE.

1. Select GKE.

1. Select Connect.

2. To select specific clusters for scanning by OX platform, select the gear icon next to DELETE.

3. Select the clusters you want to protect.

1. Select SAVE.

After connecting your cluster, OX begins collecting Kubernetes metadata, such as deployed workloads, image versions, and runtime status. This information enriches your Applications, Issues, Attack Path, and Artifact BOM pages with cloud-native context.