The integration of Policy Controller for Kubernetes clusters with Security Command Center is now released to General Availability.

Policy Controller enables the application and enforcement of programmable policies for your Kubernetes clusters. These policies act as guardrails and can help with best practices, security, and compliance management of your clusters and fleet.Policy Controller is fully integrated with Google Cloud, includes a built-in dashboard, for observability, and comes with a full library of pre-built policies for common security and compliance controls

Policy Controller can operate as:

• Detective Control: Identify policy violations and send these Findings to SCC
• Preventive Control: Stop deployments outside of your configured compliance.

If you install Policy Controller and enable either the CIS Kubernetes Benchmark v1.5.1 or the PCI-DSS v3.2.1 Policy Controller bundles, or both, Policy Controller automatically writes cluster violations to Security Command Center Premium as Misconfiguration findings class findings.

The Policy Controller findings come from the following Policy Controller bundles

• CIS Kubernetes Benchmark v.1.5.1, a set of recommendations for configuring Kubernetes to support a strong security posture.
• PCI-DSS v3.2.1, a bundle which evaluates the compliance of your cluster resources against some aspects of the Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1

Securing GCP containers is vital for safeguarding your applications and data in the cloud. With their lightweight nature and rapid deployment, containers offer incredible agility, but this speed also presents a larger attack surface for malicious actors. Compromised containers can expose sensitive information, disrupt critical services, and even launch attacks on other systems. Therefore, implementing robust security measures at every stage, from build to runtime, is essential. 

Security Command Center Premium tier comes with Container Threat Detection as a built-in service that continuously monitors the state of Container-Optimized OS node images. The service evaluates all changes and remote access attempts to detect runtime attacks in near-real time.

Container Threat Detection detects the most common container runtime attacks and alerts you in Security Command Center and, optionally, in Cloud Logging. Container Threat Detection includes several detection capabilities, including suspicious binaries and libraries, and uses natural language processing (NLP) to detect malicious bash scripts.

This service combined with SCC’s Event Threat Detection capabilities can give you the advantage you need of securing your container resources against cyberattacks.

For more information please see below:

Policy Controller https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller

How To Install Policy Controller https://cloud.google.com/anthos-config-management/docs/how-to/installing-policy-controller

CIS Kubernetes Benchmark v.1.5.1 https://cloud.google.com/anthos-config-management/docs/how-to/using-cis-k8s-benchmark

PCI-DSS v3.2.1 https://cloud.google.com/anthos-config-management/docs/how-to/using-pci-dss-v3

Container Threat Detection https://cloud.google.com/security-command-center/docs/concepts-container-threat-detection-overview?h...

ETD Rules for GKE https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview?hl=en...