GKE security hardening guide with Pulumi. Private clusters, Workload Identity, Binary Authorization, network policies, IAM configuration, and runtime security enforcement.
Deploys hardened GKE clusters using Pulumi with private endpoints, Workload Identity, Binary Authorization, and network policies. Trigger when creating production-ready Kubernetes infrastructure requiring defense-in-depth security controls.
/plugin marketplace add adaptive-enforcement-lab/claude-skills/plugin install secure@ael-skillsThis skill inherits all available tools. When active, it can use any tool Claude has access to.
examples.mdreference.mdscripts/example-1.mermaidscripts/example-2.shscripts/example-3.shscripts/example-4.yamlscripts/example-5.yamlscripts/example-6.yamlscripts/example-7.yamlDefense in Depth
GKE security hardening follows a layered approach:
- Control plane - Private clusters, authenticated access, audit logging
- Network - VPC-native networking, network policies, egress controls
- Identity - Workload Identity Federation, least-privilege IAM, audit trails
- Runtime - Pod Security Standards, admission controllers, monitoring
This guide uses Pulumi for Infrastructure as Code, enabling repeatable, auditable cluster deployments across environments (QAC, DEV, STG, PRD).
Environment Promotion Order
Always promote changes through: QAC → DEV → STG → PRD → OPS
Never skip environments in the promotion pipeline.
gcloud CLI installed and authenticatedProduction Warning
These configurations enforce strict security controls. Test in QAC/DEV before production deployment.
See examples.md for detailed code examples.
Verification
After deployment, verify the security posture using the verification checklists in each configuration module.
| Misconfiguration | Risk | Fix |
|---|---|---|
| Public cluster endpoint | Exposed API server | Set privateClusterConfig.enablePrivateNodes = true |
| Metadata server enabled | Pod can access node credentials | Set workloadMetadataConfig.mode = "GKE_METADATA" |
| No network policies | All-to-all traffic | Apply default-deny + explicit policies |
| Privileged containers | Root container escape | Set securityContext.privileged = false |
| No admission controllers | Insecure pods deployed | Deploy validating/mutating webhooks |
| No audit logging | Compliance blind spot | Enable GKE Cloud Logging sink |
| Overpermissioned service accounts | Lateral movement | Use Workload Identity + least-privilege IAM |
| Public container registry | Image tampering | Use private Artifact Registry + Binary Auth |
Attack Surface Reduction
Each misconfiguration listed above represents a verified attack vector. Fix all items before production deployment.
See examples.md for code examples.
See reference.md for complete documentation.
Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.