フィードバックを送信
Cloud Native Experience GCP Ready

CNE GCP Ready: Security Recommendations

Cloud Native Experience (CNE) GCP Ready supports secure-by-default deployment patterns for Kubernetes, infrastructure provisioning, and platform access.

Use these recommendations to reduce operational risk and align deployments with common enterprise security practices.

Use Private GKE Clusters

CNE provisions Google Kubernetes Engine (GKE) clusters as private clusters by default.

Keep the private-cluster configuration enabled whenever possible. Avoid exposing the Kubernetes API server publicly.

Use Connect Gateway for cluster access instead of public API endpoints.

For more information, see Accessing the Kubernetes Cluster.

Restrict Terraform Access

Provisioning infrastructure with Terraform can create or destroy cloud resources across the GCP project.

Restrict Terraform execution to approved users or CI/CD environments.

Recommended practices:

  • Use dedicated Google Service Accounts for provisioning
  • Grant only the minimum required IAM roles
  • Use service account impersonation instead of shared credentials
  • Prefer controlled CI/CD execution for terraform apply

Avoid granting broad project-level roles such as roles/owner and roles/editor.

Use Single Sign-On (SSO)

Integrate platform services with an enterprise identity provider whenever possible.

Recommended integrations include Argo CD, Grafana, and Argo Workflows.

Use industry-standard authentication protocols such as OpenID Connect (OIDC) and SAML.

Require MFA for all administrative access.

Apply Least-Privilege Access

Grant users only the permissions required for their responsibilities.

Apply least-privilege access across Google Cloud IAM, Kubernetes RBAC, and Argo CD RBAC.

Prefer assigning permissions through identity-provider groups instead of individual user accounts.

Use Workload Identity Federation

Prefer Workload Identity Federation (WIF) over long-lived service account keys for CI/CD and external integrations.

WIF reduces credential management overhead and avoids storing static credentials in repositories or CI systems.

For more information, see Workload Identity Federation.

Enable Audit and Access Logging

Enable centralized logging for infrastructure and platform components.

Recommended logging sources include:

  • GKE Cloud Audit Logs
  • VPC Flow Logs
  • Cloud Load Balancer access logs
  • Cloud SQL audit logs
  • Argo CD audit logs
  • Elasticsearch audit logs

Use Cloud Logging for centralized collection and monitoring.

Review retention policies to ensure they align with organizational compliance requirements.

Use Kubernetes Pod Security Admission

Apply Pod Security Admission labels to Kubernetes namespaces to prevent deployment of non-compliant workloads.

For example:

pod-security.kubernetes.io/enforce: restricted

Use elevated policies only for workloads that require privileged node access.

Avoid Manual Infrastructure Changes

Manage infrastructure resources through GitOps, Terraform, and Crossplane workflows.

Avoid creating, modifying, or deleting managed resources directly in the GCP console, as this can cause infrastructure state inconsistencies.

Capability:
Cloud
DXP Self-Hosted Installation, Maintenance, and Administration
Resource Type:
Official Documentation
Deployment Approach:
Liferay PaaS
Liferay Self-Hosted