# GCP and GKE ## Google Kubernetes Engine (GKE) Google Kubernetes Engine (GKE) is a managed Kubernetes service that simplifies the deployment, scaling, and management of containerized applications in Google Cloud. It abstracts infrastructure management while providing flexibility and control over Kubernetes clusters. Integrating OX Security with GKE gives your security team real-time visibility into what’s running in your clusters and improves workload protection, as follows: * **Workload-Level Scanning:** OX identifies which container images are actively running in Kubernetes workloads, such as deployments and pods, and scans those confirmed to be in use. This improves precision and reduces unnecessary overhead. * **Runtime Context**\ OX enriches security findings across your environment with runtime metadata. When a vulnerability is found in code or an image that is deployed and running, the issue is flagged with additional severity context to support informed triage and decision-making. * **Risk Prioritization Support**\ You can prioritize issues based on runtime status, filter findings by whether they are actively running, or create custom policies that adjust severity accordingly. For a description of the supported Kubernetes connection models, including direct cloud integration and Inspector-based access, see [Kubernetes Reachability](https://docs.ox.security/ox-integrations/3rd-party-integrations/cloud-security/kubernetes-reachability). ## Google Cloud Platform (GCP) support for GKE To support GKE integration, OX also connects to Google Cloud Platform (GCP). The GCP connector is required to enable GKE connectivity and provides cloud-level context for Kubernetes workloads. The GCP connector is used to: * Authenticate access to your Google Cloud project as a prerequisite for connecting GKE. * Enrich Kubernetes data with cloud-level information, including whether deployed workloads are internet exposed. * Generate a cloud-based bill of materials (Cloud BOM) that reflects assets deployed in your cloud environment. ## Prerequisites * A Google Cloud project with IAM permissions to: * Create service accounts * Manage service account keys * Enable required APIs (e.g., Compute Engine API, IAM API, Kubernetes Engine API). * Optional: `gcloud` CLI installed and configured. * A running GKE cluster in the selected GCP project, with Kubernetes API enabled. * Authorized OX static IP address to access your GKE: 108.128.213.11, 34.247.61.212. ## Step 1: Create a new service account \[Google] 1. Log in to the [Google Cloud Console](https://console.cloud.google.com). 2. Select your GKE project. 3. Navigate to **IAM & Admin**. 4. Select **Service Accounts**.

5. Select **+ Create Service Account**.

6. Add a meaningful name and an optional description. 7. Select **Create and Continue**.

8. Grant the **Viewer** role to the new service account and select **Done**. The new service account appears in the **Service accounts** table.

9. In the **Actions** column, select the newly created service account, click the three dot menu related to it, and select **Manage keys**. 10. In the **Keys** pane, select **Add key > Create new key**.

12. Select **JSON** and then select **Create**. The file is automatically downloaded to your system. 13. Securely store the JSON key file. 14. To encode the Key File in Base64: * On **macOS/Linux**, run: `base64 .json` * On **Windows**, use a tool or plugin to convert the JSON to a one-line Base64 string. > **Note:** The Base64 encoding ensures multi-line keys are compacted into a single string. 15. To enable required Google Cloud APIs, in the **Google Cloud Console**: 1. Navigate to **APIs & Services**. 2. In the left pane, select **Library**. 3. Search for and enable the following APIs: * Compute Engine API (compute.googleapis.com) * Kubernetes Engine API (container.googleapis.com) * Cloud Resource Manager API (cloudresourcemanager.googleapis.com)

4. Alternatively, use the gcloud CLI to enable all the required APIs at once: ``` gcloud services enable compute.googleapis.com \ apikeys.googleapis.com \ artifactregistry.googleapis.com \ bigquery.googleapis.com \ sqladmin.googleapis.com \ storage.googleapis.com \ dns.googleapis.com \ containerregistry.googleapis.com \ container.googleapis.com \ iam.googleapis.com \ dataproc.googleapis.com \ cloudkms.googleapis.com \ logging.googleapis.com \ cloudresourcemanager.googleapis.com ``` e. To verify the APIs were enabled, run: ``` gcloud services list --enabled ``` ## Step 2: Connect to GCP 1. In the **Google Cloud Console**, locate the ID of the project in which you have created a service account.

2. In the **OX Security** platform, go to **Connectors** and search for **GCP**.

3. Select **GCP** and set the following parameters in the **Configure your GCP credentials** dialog.

| Parameter | Description | | ----------------- | ------------------------------ | | **Project ID** | Copy the value from the step 1 | | **API** **Token** | Base64-encoded key | 4. Select **CONNECT**. A success message appears. ## Multi-project access **To reuse one service account across multiple GCP projects:** 1. [Create a new service account](#creating-a-new-service-account). 2. In the source project, copy the email of the service account.

3. For each target project, navigate to **IAM & Admin** and select **Grant Access**.

4. In the **New principals** box, add the copied email address. 5. In the **Role** box, select **Viewer** and then click **Save**. 6. In the **OX Security** platform, go to **Connectors** and search for **GCP**. 7. Select **GCP** and set the following parameters in the **Configure your GCP credentials** dialog.

| Parameter | Description | | ----------------- | ------------------ | | **Project ID** | Add \* | | **API** **Token** | Base64-encoded key | 8. Select **CONNECT**. A success message appears. ## Step 3: Connect to GKE After you configure the GCP connector, you can connect your GKE clusters. The GKE connector does not require separate credentials. Instead, it automatically uses the credentials you created for GCP, because both connectors rely on the same authentication format and access scope within your Google Cloud project. Configuring GKE is a short process. Once the GCP connector is active and the required services are enabled in your Google Cloud project, you only need to select your cluster and complete the connection. When you connect GKE, OX retrieves metadata from your Kubernetes clusters and enriches your environment with workload-level and runtime insights. **To connect to GKE:** 1. In the **OX Security** platform, go to **Connectors** and search for **GKE**.

2. Select **GKE**.

3. Select **Connect**. 4. To select specific clusters for scanning by OX platform, select the gear icon next to **DELETE**. 5. Select the clusters you want to protect.

6. Select **SAVE**. After connecting your cluster, OX begins collecting Kubernetes metadata, such as deployed workloads, image versions, and runtime status. This information enriches your Applications, Issues, Attack Path, and Artifact BOM pages with cloud-native context.