This page explains the shared security responsibilities for both Google and
Google Cloud customers. Running a business-critical application on Google Kubernetes Engine (GKE) requires
multiple parties to have different responsibilities. Although this page is not an exhaustive
list, this document can help you understand your responsibilities.
This document is for
Security specialists who define, govern and implement policies and procedures
to protect an organization's data from unauthorized access. To learn more about
common roles and example tasks that we reference in Google Cloud content, see
Common GKE user roles and tasks.
Hardening
and
patching
the nodes' operating system, such as Container-Optimized OS or
Ubuntu. GKE promptly makes any patches to these images
available. If you have auto-upgrade enabled, or are using a
release channel,
these updates are automatically deployed. This is the OS layer underneath
your container—it's not the same as the operating system running in your
containers.
Building and operating threat detection for container-specific threats
into the kernel with
Container Threat Detection
(priced separately with Security Command Center).
Hardening and
patching
Kubernetes node components. All GKE managed components are upgraded
automatically when you upgrade GKE node versions. This includes:
Hardening and
patching
the control plane. The control plane includes the control plane VM, API
server, scheduler, controller manager,
cluster CA, TLS certificate issuance and rotation, root-of-trust key material,
IAM authenticator and authorizer, audit logging
configuration, etcd, and various other controllers. All of your control
plane components run on Google-operated Compute Engine instances. These
instances are single tenant, meaning each instance runs the control plane
and its components for only one customer.
Provide Google Cloud integrations for Connect,
Identity and Access Management, Cloud Audit Logs, Google Cloud Observability,
Cloud Key Management Service, Security Command Center, and others.
Restrict and log Google administrative access to customer clusters for
contractual support purposes with
Access Transparency.
Customer's responsibilities
Maintain your workloads, including your application code, build files,
container images, data, Role-based access control (RBAC)/IAM
policy, and containers and pods that you are running.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[],[],null,["# GKE shared responsibility\n\n[Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview) [Standard](/kubernetes-engine/docs/concepts/choose-cluster-mode)\n\n*** ** * ** ***\n\nThis page explains the shared security responsibilities for both Google and\nGoogle Cloud customers. Running a business-critical application on Google Kubernetes Engine (GKE) requires\nmultiple parties to have different responsibilities. Although this page is not an exhaustive\nlist, this document can help you understand your responsibilities.\n\nThis document is for\nSecurity specialists who define, govern and implement policies and procedures\nto protect an organization's data from unauthorized access. To learn more about\ncommon roles and example tasks that we reference in Google Cloud content, see\n[Common GKE user roles and tasks](/kubernetes-engine/enterprise/docs/concepts/roles-tasks).\n\n### Google's responsibilities\n\n- Protecting the underlying infrastructure, including hardware, firmware, kernel, OS, storage, network, and more. This includes [encrypting data at rest by default](/security/encryption-at-rest/default-encryption), providing [additional customer-managed disk encryption](/kubernetes-engine/docs/how-to/using-cmek), [encrypting data in transit](/security/encryption-in-transit), using [custom-designed hardware](/docs/security/titan-hardware-chip), laying [private network cables](/about/locations#network-tab), protecting data centers from physical access, protecting the bootloader and kernel against modification using [Shielded Nodes](/kubernetes-engine/docs/how-to/shielded-gke-nodes), and following secure software development practices.\n- [Hardening](/container-optimized-os/docs/concepts/security) and [patching](/kubernetes-engine/docs/resources/security-patching) the nodes' operating system, such as Container-Optimized OS or Ubuntu. GKE promptly makes any patches to these images available. If you have auto-upgrade enabled, or are using a [release channel](/kubernetes-engine/docs/concepts/release-channels), these updates are automatically deployed. This is the OS layer underneath your container---it's not the same as the operating system running in your containers.\n- Building and operating threat detection for container-specific threats into the kernel with [Container Threat Detection](/security-command-center/docs/concepts-container-threat-detection-overview) (priced separately with Security Command Center).\n- Hardening and [patching](/kubernetes-engine/docs/resources/security-patching) Kubernetes node components. All GKE managed components are upgraded automatically when you upgrade GKE node versions. This includes:\n - [vTPM-backed trusted bootstrap mechanism for issuing kubelet TLS certificates](/kubernetes-engine/docs/how-to/shielded-gke-nodes) and auto-rotation of the certificates\n - Hardened kubelet configuration [following CIS benchmarks](/kubernetes-engine/docs/concepts/cis-benchmarks)\n - GKE metadata server for [Workload identity](/kubernetes-engine/docs/how-to/workload-identity)\n - GKE's native [Container Network Interface plugin and Calico for NetworkPolicy](/kubernetes-engine/docs/concepts/network-overview)\n - GKE Kubernetes storage integrations such as the [CSI driver](/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver)\n - GKE [logging and monitoring agents](/stackdriver/docs/solutions/gke)\n- Hardening and [patching](/kubernetes-engine/docs/resources/security-patching) the control plane. The control plane includes the control plane VM, API server, scheduler, controller manager, [cluster CA, TLS certificate issuance and rotation, root-of-trust key material](/kubernetes-engine/docs/concepts/cluster-trust), IAM authenticator and authorizer, audit logging configuration, etcd, and various other controllers. All of your control plane components run on Google-operated Compute Engine instances. These instances are single tenant, meaning each instance runs the control plane and its components for only one customer.\n- Provide Google Cloud integrations for Connect, Identity and Access Management, Cloud Audit Logs, Google Cloud Observability, Cloud Key Management Service, Security Command Center, and others.\n- Restrict and log Google administrative access to customer clusters for contractual support purposes with [Access Transparency](/access-transparency).\n\n### Customer's responsibilities\n\n- Maintain your workloads, including your application code, build files, container images, data, Role-based access control (RBAC)/IAM policy, and containers and pods that you are running.\n- [Rotate your clusters credentials](/kubernetes-engine/docs/how-to/credential-rotation#overview).\n- Keep Standard node pools enrolled in [automatic upgrades](/kubernetes-engine/upgrades#automatic_node_upgrades).\n- In the following situations, manually upgrade your clusters and node pools to remediate vulnerabilities within your organization's patching timelines:\n - Auto-upgrades are postponed because of factors like maintenance policies.\n - You need to apply a patch before it becomes available in your selected release channel. For more information, see [Run patch versions from a newer channel](/kubernetes-engine/docs/concepts/release-channels#newer-patch-versions).\n- Monitor the cluster and applications and respond to any alerts and incidents using technologies such as the [security posture dashboard](/kubernetes-engine/docs/concepts/about-security-posture-dashboard) and [Google Cloud Observability](/stackdriver/docs).\n- Provide Google with environmental details when requested for troubleshooting purposes.\n- Ensure Logging and Monitoring are enabled on clusters. *Without logs, support is available on a best-effort\n basis*.\n\nWhat's next\n-----------\n\n- Read the GKE [Security overview](/kubernetes-engine/docs/concepts/security-overview)."]]
