This is a concise and direct list of tips and best practices for securing your GKE cluster and workloads. While some of them are GKE-specific others are applicable to Kubernetes in general. Please, follow the links for a detailed and in-depth explanation of each topic.
- Use Container-Optimized OS - https://cloud.google.com/container-optimized-os/docs/
- Enable Automatic Node Upgrades - https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades
- Use private cluster and master authorized networks - https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
- Use k8s secrets for sensitive information - https://kubernetes.io/docs/concepts/configuration/secret/
- Consider using a secret management tool for sensitive information - https://geekflare.com/secret-management-software/
- Use the RBAC API (Roles and RoleBindings) for a finer-grained authorization control - https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- Always apply the principle of least privilege to the level of access provided to your users and your application - https://en.wikipedia.org/wiki/Principle_of_least_privilege
- Use k8s Network Policies to restrict pod-to-pod communication - https://kubernetes.io/docs/concepts/services-networking/network-policies/
- Use k8s Pod Security Policies to control security sensitive aspects of the pod specification (creation and updates) - https://kubernetes.io/docs/concepts/policy/pod-security-policy/
- Configure Pod/Container Security Contexts to better define privileges and access control setting - https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
For a much more detailed discussion take a look at the Security Overview and Hardening your Cluster GKE guides.