This page describes the removal of vulnerability scanning capabilities from the Google Kubernetes Engine (GKE) security posture dashboard for the GKE Standard edition. If you use GKE Enterprise, this page doesn't apply to you.
About vulnerability scanning
The GKE security posture dashboard lets you monitor eligible workloads for issues like security misconfigurations and known vulnerabilities. The security posture dashboard is available to use with both GKE Enterprise and the GKE Standard edition.
Workload vulnerability scanning uses the following tiers, each of which scans specific parts of your running containers:
- Workload vulnerability scanning - standard tier: scan the container OS for vulnerabilities.
- Advanced Vulnerability Insights: scan the container OS and language packages for vulnerabilities.
Both tiers of workload vulnerability scanning are deprecated in the GKE Standard edition. If you use GKE Enterprise, you'll continue to have access to all of these vulnerability scanning capabilities.
Timeline and milestones
Expect the following milestones:
- July 31, 2025: vulnerability scanning no longer displays results in the Google Cloud console if you use the GKE Standard edition. You no longer see an option to enable or disable vulnerability scanning in the security posture dashboard unless you enable GKE Enterprise.
Impact to workloads and clusters
The removal of workload vulnerability scanning capabilities won't result in workload or cluster disruptions. If you take no action by July 31, 2025 for the GKE Standard edition, the only changes that occur are as follows:
- The Security Posture page in the Google Cloud console no longer displays vulnerability scanning results.
- You can't enable workload vulnerability scanning for clusters that use the GKE Standard edition.
- You can't view existing scan results in the security posture dashboard for GKE Standard edition clusters.
- Workload vulnerability scanning is disabled in existing clusters that use the feature.
Existing logs in Cloud Logging remain in the _Default log bucket for the
configured log retention period.
What you can do
To continue using vulnerability scanning after it's removed in the GKE Standard, you must enable GKE Enterprise in your environment. For details, see Enable GKE Enterprise.
Enable container image scanning in Artifact Registry using Artifact Analysis
Artifact Analysis offers automatic or on-demand vulnerability scanning options for container images in Artifact Registry. For details, see Container scanning overview.
Disable vulnerability scanning
To stop using vulnerability scanning in your clusters prior to the removal in the GKE Standard edition, see Disable workload vulnerability scanning.