一键在 Manus 中运行任何 Skill

开始使用

$pwd:

gke-workload-security

Name: Gke Workload Security
Author: GoogleCloudPlatform

// Workflows for auditing and hardening the security of GKE workloads.

在 Manus 中运行

$ git log --oneline --stat

stars:155

forks:73

updated:2026年4月21日 14:36

文件资源管理器

4 个文件

SKILL.md

readonly

name	gke-workload-security
description	Workflows for auditing and hardening the security of GKE workloads.

GKE Workload Security

This skill provides workflows and best practices for securing GKE workloads. It covers security auditing, Identity and Access Management (Workload Identity), Network Security (Network Policies), and Node Security.

Workflows

1. Security Audit

Assess the current security posture of your cluster using the provided audit script.

Capabilities:

Checks for Workload Identity.
Verifies Network Policy is enabled.
Checks if Shielded Nodes are enabled.
Checks if Binary Authorization is enabled.
Checks for Private Cluster configuration.

Command:

./scripts/audit_cluster.sh <cluster-name> <region> <project-id>

2. Configure Workload Identity

Workload Identity allows Kubernetes Service Accounts (KSAs) to impersonate Google Service Accounts (GSAs). This is the recommended method for workloads to access Google Cloud APIs.

Steps:

Create Namespace and KSA:

kubectl create namespace workload-identity-test-ns
kubectl create serviceaccount <ksa-name> \
    --namespace workload-identity-test-ns

Bind KSA to GSA:

gcloud iam service-accounts add-iam-policy-binding <gsa-name>@<project-id>.iam.gserviceaccount.com \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:<project-id>.svc.id.goog[workload-identity-test-ns/<ksa-name>]"

Annotate KSA:

kubectl annotate serviceaccount <ksa-name> \
    --namespace workload-identity-test-ns \
    iam.gke.io/gcp-service-account=<gsa-name>@<project-id>.iam.gserviceaccount.com

Verify Example Pod: Use existing asset assets/workload-identity-pod.yaml to test the configuration. Update the <ksa-name> in the file first.
```
kubectl apply -f ./assets/workload-identity-pod.yaml -n workload-identity-test-ns
```

3. Implement Network Policies

Control traffic flow between Pods using Network Policies. By default, all traffic is allowed.

Enable Network Policy Enforcement:

gcloud container clusters update <cluster-name> \
    --update-addons=NetworkPolicy=ENABLED \
    --region <region>

[!NOTE] If your cluster uses Dataplane V2 (--enable-dataplane-v2), Network Policy enforcement is built-in and this step is not required (and may fail).

Apply Default Deny Policy: Isolate namespaces by denying all ingress and egress traffic by default.

Replace with the namespace you want to isolate.

kubectl apply -f ./assets/default-deny-netpol.yaml -n <target-namespace>

4. Enable Shielded Nodes

Ensure nodes are running with verifiable integrity.

Command:

gcloud container clusters update <cluster-name> \
    --enable-shielded-nodes \
    --region <region>

5. GKE Sandbox (gVisor)

Run untrusted workloads in a sandbox for extra isolation.

Enable GKE Sandbox:

gcloud container clusters update <cluster-name> \
    --enable-gke-sandbox \
    --region <region>

Run a Sandboxed Pod: Add runtimeClassName: gvisor to your Pod spec.

6. Pod Security Standards

Enforce security policies on namespaces using labels.

Enforce Restricted Profile:

kubectl label --overwrite ns <namespace> \
    pod-security.kubernetes.io/enforce=restricted \
    pod-security.kubernetes.io/enforce-version=latest

[!NOTE] Using latest ensures you use the policies corresponding to the cluster's current version. You can pin it to a specific version (e.g., v1.30) to lock down the namespace to policies of a specific release.

7. Secret Manager Integration (CSI Driver)

Mount secrets from Google Cloud Secret Manager directly as volumes in your pods.

Prerequisites: Secret Manager CSI driver must be enabled on the cluster.

Example SecretProviderClass:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-secret-provider
spec:
  provider: gcp
  parameters:
    secrets: |
      - resourceName: "projects/<project-id>/secrets/my-secret/versions/latest"
        fileName: "my-secret-file"

Example Pod Spec excerpt:

spec:
  containers:
    - name: my-app
      volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets"
          readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "my-secret-provider"

8. Enable Network Policy Logging

If using GKE Dataplane V2, you can log allowed and denied connections.

Steps:

Configure the NetworkLogging custom resource.

Example NetworkLogging Manifest:

apiVersion: networking.gke.io/v1alpha1
kind: NetworkLogging
metadata:
  name: default
spec:
  cluster:
    allow:
      log: true
      delegate: true
    deny:
      log: true
      delegate: true

This will log connection details to Cloud Logging.

Best Practices

Least Privilege: Always use Workload Identity with minimal IAM roles. Avoid using Node default service accounts.
Network Isolation: Use Network Policies to restrict Pod-to-Pod communication. Enable Network Policy Logging for visibility.
Image Security: Use Binary Authorization to ensure only trusted images are deployed.
Secret Management: Use Secret Manager CSI driver instead of default Kubernetes secrets for sensitive data.
Pod Security: Enforce baseline or restricted Pod Security Standards on all non-system namespaces.
Policy Enforcement: Consider using Policy Controller (Gatekeeper) to enforce custom security and compliance policies across the cluster.

related-skills.json

同仓库

gke-ai-troubleshooting-skill-creation-guide.md

from "GoogleCloudPlatform/gke-mcp"

Expert instructions for building high-quality GKE troubleshooting skills. Codifies Step 0 context rules, zero-hallucination signatures, and explicit LQL/PromQL query requirements.

2026-05-04155

gke-ai-troubleshooting-tpu-connection-failure-vbar-oom.md

from "GoogleCloudPlatform/gke-mcp"

Diagnose and prevent `vbar_control_agent` segfaults and OOMs caused by race conditions during TPU device resets and frequent metrics collection (e.g. every 3s). Use when TPU slice initialization fails or `vbar_control_agent` crashes on TPU v6e nodes.

2026-05-04155

gke-productionize.md

from "GoogleCloudPlatform/gke-mcp"

Assists in preparing applications and clusters on GKE for production.

2026-04-29155

gke-app-onboarding.md

from "GoogleCloudPlatform/gke-mcp"

Workflows for containerizing and deploying applications to GKE for the first time.

2026-04-29155

gke-cost-analysis.md

from "GoogleCloudPlatform/gke-mcp"

Answer natural language questions about GKE-related costs by leveraging BigQuery export and cost allocation data.

2026-04-15155

gke-cluster-creator.md

from "GoogleCloudPlatform/gke-mcp"

Guides the user through creating GKE clusters using pre-defined templates (Standard, Autopilot, GPU/AI).

2026-04-13155

package.json

"author": "GoogleCloudPlatform"

"repository": "GoogleCloudPlatform/gke-mcp"

打开 GitHub 仓库查看创作者相关仓库

$ install --global

$ download --local

在 Manus 中运行

$ useful --forSOC

网络与计算机系统管理员计算机与数学类职业15-1244L4

name	gke-workload-security
description	Workflows for auditing and hardening the security of GKE workloads.

GKE Workload Security

Workflows

1. Security Audit

Assess the current security posture of your cluster using the provided audit script.

Capabilities:

Checks for Workload Identity.
Verifies Network Policy is enabled.
Checks if Shielded Nodes are enabled.
Checks if Binary Authorization is enabled.
Checks for Private Cluster configuration.

Command:

./scripts/audit_cluster.sh <cluster-name> <region> <project-id>

2. Configure Workload Identity

Workload Identity allows Kubernetes Service Accounts (KSAs) to impersonate Google Service Accounts (GSAs). This is the recommended method for workloads to access Google Cloud APIs.

Steps:

Create Namespace and KSA:

kubectl create namespace workload-identity-test-ns
kubectl create serviceaccount <ksa-name> \
    --namespace workload-identity-test-ns

Bind KSA to GSA:

gcloud iam service-accounts add-iam-policy-binding <gsa-name>@<project-id>.iam.gserviceaccount.com \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:<project-id>.svc.id.goog[workload-identity-test-ns/<ksa-name>]"

Annotate KSA:

kubectl annotate serviceaccount <ksa-name> \
    --namespace workload-identity-test-ns \
    iam.gke.io/gcp-service-account=<gsa-name>@<project-id>.iam.gserviceaccount.com

Verify Example Pod: Use existing asset assets/workload-identity-pod.yaml to test the configuration. Update the <ksa-name> in the file first.
```
kubectl apply -f ./assets/workload-identity-pod.yaml -n workload-identity-test-ns
```

3. Implement Network Policies

Control traffic flow between Pods using Network Policies. By default, all traffic is allowed.

Enable Network Policy Enforcement:

gcloud container clusters update <cluster-name> \
    --update-addons=NetworkPolicy=ENABLED \
    --region <region>

[!NOTE] If your cluster uses Dataplane V2 (--enable-dataplane-v2), Network Policy enforcement is built-in and this step is not required (and may fail).

Apply Default Deny Policy: Isolate namespaces by denying all ingress and egress traffic by default.

Replace with the namespace you want to isolate.

kubectl apply -f ./assets/default-deny-netpol.yaml -n <target-namespace>

4. Enable Shielded Nodes

Ensure nodes are running with verifiable integrity.

Command:

gcloud container clusters update <cluster-name> \
    --enable-shielded-nodes \
    --region <region>

5. GKE Sandbox (gVisor)

Run untrusted workloads in a sandbox for extra isolation.

Enable GKE Sandbox:

gcloud container clusters update <cluster-name> \
    --enable-gke-sandbox \
    --region <region>

Run a Sandboxed Pod: Add runtimeClassName: gvisor to your Pod spec.

6. Pod Security Standards

Enforce security policies on namespaces using labels.

Enforce Restricted Profile:

kubectl label --overwrite ns <namespace> \
    pod-security.kubernetes.io/enforce=restricted \
    pod-security.kubernetes.io/enforce-version=latest

[!NOTE] Using latest ensures you use the policies corresponding to the cluster's current version. You can pin it to a specific version (e.g., v1.30) to lock down the namespace to policies of a specific release.

7. Secret Manager Integration (CSI Driver)

Mount secrets from Google Cloud Secret Manager directly as volumes in your pods.

Prerequisites: Secret Manager CSI driver must be enabled on the cluster.

Example SecretProviderClass:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-secret-provider
spec:
  provider: gcp
  parameters:
    secrets: |
      - resourceName: "projects/<project-id>/secrets/my-secret/versions/latest"
        fileName: "my-secret-file"

Example Pod Spec excerpt:

spec:
  containers:
    - name: my-app
      volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets"
          readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "my-secret-provider"

8. Enable Network Policy Logging

If using GKE Dataplane V2, you can log allowed and denied connections.

Steps:

Configure the NetworkLogging custom resource.

Example NetworkLogging Manifest:

apiVersion: networking.gke.io/v1alpha1
kind: NetworkLogging
metadata:
  name: default
spec:
  cluster:
    allow:
      log: true
      delegate: true
    deny:
      log: true
      delegate: true

This will log connection details to Cloud Logging.

Best Practices

Least Privilege: Always use Workload Identity with minimal IAM roles. Avoid using Node default service accounts.
Network Isolation: Use Network Policies to restrict Pod-to-Pod communication. Enable Network Policy Logging for visibility.
Image Security: Use Binary Authorization to ensure only trusted images are deployed.
Secret Management: Use Secret Manager CSI driver instead of default Kubernetes secrets for sensitive data.
Pod Security: Enforce baseline or restricted Pod Security Standards on all non-system namespaces.
Policy Enforcement: Consider using Policy Controller (Gatekeeper) to enforce custom security and compliance policies across the cluster.

gke-workload-security

GKE Workload Security

Workflows

1. Security Audit

2. Configure Workload Identity

3. Implement Network Policies

4. Enable Shielded Nodes

5. GKE Sandbox (gVisor)

6. Pod Security Standards

7. Secret Manager Integration (CSI Driver)

8. Enable Network Policy Logging

Best Practices

同仓库更多 Skills

GKE Workload Security

Workflows

1. Security Audit

2. Configure Workload Identity

3. Implement Network Policies

4. Enable Shielded Nodes

5. GKE Sandbox (gVisor)

6. Pod Security Standards

7. Secret Manager Integration (CSI Driver)

8. Enable Network Policy Logging

Best Practices

同仓库更多 Skills