// the find
google/gke-policy-automation
Tool and policy library for reviewing Google Kubernetes Engine clusters against best practices
A CLI tool for auditing GKE clusters against a library of OPA/Rego policies covering security, networking, and node pool configuration. It connects to GCP directly via application default credentials and outputs findings to console, JSON, Pub/Sub, GCS, or Security Command Center. Aimed at platform teams running GKE at any scale who want automated compliance checking beyond what the GCP console surfaces.
The policy library is genuinely wide — 40+ rules covering things most teams overlook (shielded nodes, binary authorization, intranode visibility, version skew between control plane and pools). Every policy has a paired test file, which is the right call for Rego that's easy to get subtly wrong. The scalability limits check using kube-state-metrics is a nice addition — it warns you before you hit GKE quota walls, not after. The Terraform reference solution for serverless execution via Cloud Run + Cloud Scheduler is included and actually usable, not just a placeholder.
GKE-only by design, so if you're multi-cloud or mixing GKE with GKE Autopilot clusters, the policy coverage gets uneven — the Autopilot policy is a single file and clearly an afterthought. The scalability check requires kube-state-metrics piped through GMP or a self-managed Prometheus, which is non-trivial to set up and undocumented for teams not already running it. There are two parallel policy directories (gke-policies and gke-policies-v2) with no clear migration path or deprecation notice, which is going to confuse anyone pulling from the repo. Star count (526) and fork count (27) after several years suggests adoption is thin outside Google itself — the policy set reflects Google's own opinion of best practices, which may not match your org's security posture.