> For the complete documentation index, see [llms.txt](https://surecloud.gitbook.io/surecloud-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/google-kubernetes-engine.md).

# google kubernetes engine

SureCloud enumerates all Google Kubernetes Engine clusters across monitored GCP projects and inspects each cluster's security configuration. SureCloud checks whether Workload Identity is enabled (replacing the use of service account keys in pods), verifies that the Kubernetes API server is not accessible from `0.0.0.0/0`, reviews node pool configurations for automatic node upgrades and Shielded Nodes settings, and checks whether Binary Authorization is enabled to enforce signed image policies. This provides continuous evidence that your container orchestration layer is hardened against common Kubernetes attack vectors.

## Endpoints

| API Call                                               | Use Case                                                                                              |
| ------------------------------------------------------ | ----------------------------------------------------------------------------------------------------- |
| `container.projects.locations.clusters.list`           | Enumerate all GKE clusters across all regions and zones in a project                                  |
| `container.projects.locations.clusters.get`            | Retrieve full cluster configuration including network policy, workload identity, and logging settings |
| `container.projects.locations.clusters.nodePools.list` | List node pools and inspect auto-upgrade, Shielded Nodes, and service account configuration           |

## Pagination

The GKE API does not paginate the `clusters.list` response — all clusters in a project are returned in a single response. Node pool lists are similarly returned in a single response per cluster.

{% hint style="info" %}
SureCloud reads GKE cluster and node pool **configuration** via the GKE management API. SureCloud does not connect to cluster API servers, read Kubernetes resources (Pods, Deployments, etc.), or interact with workloads running in the cluster.
{% endhint %}

## Required permissions

| Role                         | Grants                                                                           |
| ---------------------------- | -------------------------------------------------------------------------------- |
| `roles/iam.securityReviewer` | Includes `container.clusters.get` and `container.clusters.list` for all projects |

## Troubleshooting

<details>

<summary>Private clusters are showing the API server endpoint as exposed</summary>

GKE private clusters use a private endpoint for the API server by default, but may also have a public endpoint enabled for operational convenience. SureCloud flags clusters where `masterAuthorizedNetworksConfig.enabled` is `false` or where the public endpoint is accessible from `0.0.0.0/0`.

To restrict public endpoint access, navigate to **GKE → \[Cluster] → Networking → Control plane authorised networks** and enable authorised networks with your organisation's IP ranges. Alternatively, disable the public endpoint entirely if all access is via the private endpoint.

</details>

<details>

<summary>Workload Identity shows as disabled for clusters where it appears enabled</summary>

Workload Identity must be enabled at both the cluster level (`workloadIdentityConfig.workloadPool`) and the node pool level (`workloadMetadataConfig.mode: GKE_METADATA`). SureCloud checks both. A cluster with Workload Identity enabled at the cluster level but not configured on the node pool will still be flagged.

Verify node pool configuration in **GKE → \[Cluster] → Nodes → \[Node pool] → Security → Metadata server**.

</details>

<details>

<summary>GKE clusters in Autopilot mode have different findings than Standard clusters</summary>

GKE Autopilot clusters manage node pools automatically and enforce several security defaults (Shielded Nodes, Workload Identity, secure boot) that cannot be disabled. SureCloud recognises Autopilot clusters via the `autopilot.enabled` field and adjusts findings accordingly — settings that Google enforces in Autopilot mode will not generate findings even if the configuration field is absent.

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/google-kubernetes-engine.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.