CIS Google Kubernetes Engine (GKE) 1.4.0 Benchmark
Preview Feature
This article describes functionality that is currently in preview.
Lacework provides compliance policies based on CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0 (or CIS GKE 1.4.0 Benchmark for short).
Once you have integrated your GKE environment with Lacework, you can check whether your resources are compliant with the benchmark recommendations.
Visibility and Usage in the Lacework Console
You can use the CIS GKE 1.4.0 Benchmark in the following ways:
- Enable or disable policies through the Policies page (see CIS GKE 1.4.0 Benchmark Policies).
- Create and manage Compliance Policy Exceptions as and when needed.
- Receive Compliance-related Alerts for enabled CIS GKE 1.4.0 Benchmark policies (when violations occur).
- The Kubernetes Compliance Dashboard provides assessment results for each Kubernetes framework, including the CIS GKE 1.4.0 Benchmark.
Prerequisites
Ensure you have integrated your GKE environment with the Lacework Compliance platform. Completing this will prepare your environment for the CIS GKE 1.4.0 Benchmark:
CIS GKE 1.4.0 Benchmark Policies
All policies in the CIS GKE 1.4.0 Benchmark are enabled by default.
You can enable or disable them using one of the following methods outlined in this section.
Enable or Disable Policies in the Lacework Console
On the Policies page, use the framework:cis-gke-1-4-0 tag to filter for CIS GKE 1.4.0 policies only.
You can enable or disable each one using the status toggle.
Alternatively, see Batch Update Policies to enable or disable multiple policies at once.
note
Manual policies do not have a status toggle as there is no functional check to enable. For more information about manual policies, see Automated vs Manual Policies.
Enable or Disable Policies using the Lacework CLI
tip
If you have not set up the Lacework CLI before, see the Lacework CLI guide to get started.
Enable or disable all the CIS GKE 1.4.0 policies using the following commands in the Lacework CLI:
Enable all policies
lacework policy enable --tag framework:cis-gke-1-4-0
Disable all policies
lacework policy disable --tag framework:cis-gke-1-4-0
Enable or disable specific CIS GKE 1.4.0 policies using the following command examples in the Lacework CLI:
Enable lacework-global-733
lacework policy enable lacework-global-733
Disable lacework-global-733
lacework policy disable lacework-global-733
Policy Mapping for CIS GKE 1.4.0
The CIS GKE 1.4.0 recommendations are mapped to Lacework global policies. See the following sections for the mappings used.
Table key:
- Control ID - The CIS GKE 1.4.0 Benchmark security control identifier.
- Title - The policy/recommendation title.
- Lacework Policy ID - The Lacework policy identifier.
- CIS Assessment - Whether CIS have determined that the security control can be assessed automatically or if it requires manual verification.
- Lacework Assessment - Whether Lacework have determined that the security control can be assessed automatically or if it requires manual verification.
- Severity - The severity of the policy (as determined by Lacework).
- 1. Control Plane Components
- 2. Control Plane Configuration
- 3. Worker Nodes
- 4. Policies
- 5. Managed Services
This section is not applicable for managed Kubernetes clusters, therefore, it contains no controls.
- 2.1 Authentication and Authorization
- 2.2 Logging
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 2.1.1 | Do not use client certificate authentication for users | lacework-global-726 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 2.2.1 | Create a minimal audit policy | lacework-global-727 | Manual | Manual | Medium |
| 2.2.2 | Ensure that the audit policy covers key security concerns | lacework-global-728 | Manual | Manual | Medium |
- 3.1 Worker Node Configuration Files
- 3.2 Kubelet
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 3.1.1 | Set the proxy kubeconfig file permissions to 644 or more restrictive | lacework-global-729 | Manual | Automated | High |
| 3.1.2 | Set the proxy kubeconfig file ownership to root:root | lacework-global-730 | Manual | Automated | High |
| 3.1.3 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive | lacework-global-731 | Manual | Automated | High |
| 3.1.4 | Set the kubelet configuration file ownership to root:root | lacework-global-732 | Manual | Automated | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 3.2.1 | Set the --anonymous-auth argument to false | lacework-global-733 | Automated | Automated | High |
| 3.2.2 | Ensure that the --authorization-mode argument is not set to AlwaysAllow | lacework-global-734 | Automated | Automated | High |
| 3.2.3 | Set the --client-ca-file argument as appropriate | lacework-global-735 | Automated | Automated | Medium |
| 3.2.4 | Set the --read-only-port argument to 0 | lacework-global-736 | Manual | Automated | High |
| 3.2.5 | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | lacework-global-737 | Automated | Automated | Medium |
| 3.2.6 | Set the --make-iptables-util-chains argument to true | lacework-global-738 | Automated | Automated | Medium |
| 3.2.7 | Ensure that the --hostname-override argument is not set | lacework-global-739 | Manual | Automated | Medium |
| 3.2.8 | Set the --eventrecordqps argument to 5 or higher to ensure appropriate event capture | lacework-global-740 | Automated | Automated | Low |
| 3.2.9 | Set the --tls-cert-file and --tls-private-key-file arguments as appropriate | lacework-global-741 | Automated | Automated | Low |
| 3.2.10 | Ensure that the --rotate-certificates argument is not set to false | lacework-global-742 | Automated | Automated | Medium |
| 3.2.11 | Set the RotateKubeletServerCertificate argument to true | lacework-global-743 | Automated | Automated | Medium |
- 4.1 RBAC and Service Accounts
- 4.2 Pod Security Standards
- 4.3 Network Policies and CNI
- 4.4 Secrets Management
- 4.5 Extensible Admission Control
- 4.6 General Policies
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.1.1 | Ensure that the cluster-admin role is only used where required | lacework-global-744 | Manual | Automated | High |
| 4.1.2 | Minimize access to secrets | lacework-global-745 | Manual | Automated | Medium |
| 4.1.3 | Minimize wildcard use in Roles and ClusterRoles | lacework-global-746 lacework-global-823 | Manual | Automated | Medium |
| 4.1.4 | Minimize access to create pods | lacework-global-747 lacework-global-824 | Manual | Automated | Medium |
| 4.1.5 | Ensure that default service accounts are not actively used | lacework-global-748 lacework-global-825 | Manual | Automated | Medium |
| 4.1.6 | Ensure that Service Account Tokens are only mounted where necessary | lacework-global-749 lacework-global-826 | Manual | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.2.1 | Minimize the admission of privileged containers | lacework-global-750 | Manual | Automated | Medium |
| 4.2.2 | Minimize the admission of containers wishing to share the host process ID namespace | lacework-global-751 | Manual | Automated | Medium |
| 4.2.3 | Minimize the admission of containers wishing to share the host Inter-Process Communication (IPC) namespace | lacework-global-752 | Manual | Automated | Medium |
| 4.2.4 | Minimize the admission of containers wishing to share the host network namespace | lacework-global-753 | Manual | Automated | Medium |
| 4.2.5 | Minimize the admission of containers with allowPrivilegeEscalation | lacework-global-754 | Manual | Automated | Medium |
| 4.2.6 | Minimize the admission of root containers | lacework-global-783 | Manual | Automated | Medium |
| 4.2.7 | Minimize the admission of containers with added capabilities | lacework-global-755 | Manual | Automated | Medium |
| 4.2.8 | Minimize the admission of containers with capabilities assigned | lacework-global-784 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.3.1 | Ensure that the Container Network Interface (CNI) in use supports Network Policies | lacework-global-756 | Manual | Manual | Medium |
| 4.3.2 | Ensure that all Namespaces have Network Policies defined | lacework-global-785 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.4.1 | Prefer using secrets as files over secrets as environment variables | lacework-global-786 | Manual | Manual | Medium |
| 4.4.2 | Consider external secret storage | lacework-global-787 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.5.1 | Configure Image Provenance using ImagePolicyWebhook admission controller | lacework-global-788 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 4.6.1 | Create administrative boundaries between resources using namespaces | lacework-global-757 | Manual | Manual | Medium |
| 4.6.2 | Set the seccomp profile to docker/default in the pod definitions | lacework-global-789 | Manual | Manual | Medium |
| 4.6.3 | Apply Security Context to Pods and Containers | lacework-global-790 | Manual | Manual | Medium |
| 4.6.4 | Do not use the default namespace | lacework-global-791 | Manual | Manual | Low |
- 5.1 Image Registry and Image Scanning
- 5.2 Identity and Access Management (IAM)
- 5.3 Cloud Key Management Service (Cloud KMS)
- 5.4 Node Metadata
- 5.5 Node Configuration and Maintenance
- 5.6 Cluster Networking
- 5.7 Logging
- 5.8 Authentication and Authorization
- 5.9 Storage
- 5.10 Other Cluster Configurations
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.1.1 | Ensure Image Vulnerability Scanning using Google Container Registry (GCR) Container Analysis or a third party provider | lacework-global-758 | Automated | Manual | Medium |
| 5.1.2 | Minimize user access to Google Container Registry (GCR) | lacework-global-759 | Manual | Manual | Medium |
| 5.1.3 | Minimize cluster access to read-only for Google Container Registry (GCR) | lacework-global-760 | Manual | Manual | Medium |
| 5.1.4 | Minimize Container Registries to only those approved | lacework-global-792 | Manual | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.2.1 | Ensure Google Kubernetes Engine (GKE) clusters are not running using the Compute Engine default service account | lacework-global-761 | Automated | Automated | Medium |
| 5.2.2 | Prefer using dedicated GCP Service Accounts and Workload Identity | lacework-global-762 | Manual | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.3.1 | Encrypt Kubernetes Secrets using keys managed in Cloud Key Management Service (KMS) | lacework-global-763 | Automated | Automated | High |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.4.1 | Disable legacy Compute Engine instance metadata APIs | lacework-global-764 | Automated | Automated | Low |
| 5.4.2 | Enable the Google Kubernetes Engine (GKE) Metadata Server | lacework-global-793 | Automated | Automated | Low |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.5.1 | Use Container-Optimized OS (cos_containerd) for Google Kubernetes Engine (GKE) node images | lacework-global-794 | Automated | Automated | Low |
| 5.5.2 | Enable Node Auto-Repair for Google Kubernetes Engine (GKE) nodes | lacework-global-765 | Automated | Automated | Medium |
| 5.5.3 | Enable Node Auto-Upgrade for Google Kubernetes Engine (GKE) nodes | lacework-global-766 | Automated | Automated | Medium |
| 5.5.4 | When creating New Clusters - Automate Google Kubernetes Engine (GKE) version management using Release Channels | lacework-global-767 | Manual | Automated | Medium |
| 5.5.5 | Enable Shielded Google Kubernetes Engine (GKE) Nodes | lacework-global-768 | Manual | Automated | Medium |
| 5.5.6 | Enable Integrity Monitoring for Shielded Google Kubernetes Engine (GKE) Nodes | lacework-global-769 | Automated | Automated | Medium |
| 5.5.7 | Enable Secure Boot for Shielded Google Kubernetes Engine (GKE) Nodes | lacework-global-795 | Automated | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.6.1 | Enable Virtual Private Cloud (VPC) Flow Logs and Intranode Visibility | lacework-global-796 | Automated | Automated | Medium |
| 5.6.2 | Ensure use of Virtual Private Cloud (VPC) native clusters | lacework-global-770 | Automated | Automated | High |
| 5.6.3 | Enable Control Plane Authorized Networks | lacework-global-771 | Automated | Automated | Medium |
| 5.6.4 | Create clusters with Private Endpoint Enabled and Public Access Disabled | lacework-global-797 | Automated | Automated | Medium |
| 5.6.5 | Create clusters with Private Nodes | lacework-global-772 | Automated | Automated | Medium |
| 5.6.6 | Consider firewalling Google Kubernetes Engine (GKE) worker nodes | lacework-global-798 | Manual | Manual | Medium |
| 5.6.7 | Enable Network Policy and set as appropriate | lacework-global-773 | Manual | Automated | Medium |
| 5.6.8 | Ensure use of Google-managed SSL Certificates | lacework-global-799 | Manual | Manual | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.7.1 | Enable Logging and Cloud Monitoring | lacework-global-774 | Automated | Automated | Medium |
| 5.7.2 | Enable Linux auditd logging | lacework-global-800 | Manual | Manual | Low |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.8.1 | Disable Basic Authentication using static passwords | lacework-global-775 | Automated | Automated | Medium |
| 5.8.2 | Disable authentication using Client Certificates | lacework-global-776 | Automated | Automated | Medium |
| 5.8.3 | Manage Kubernetes Role-Based Access Control (RBAC) users with Google Groups for Google Kubernetes Engine (GKE) | lacework-global-801 | Manual | Manual | Medium |
| 5.8.4 | Disable Legacy Attribute-Based Access Control (ABAC) | lacework-global-777 | Automated | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.9.1 | Enable Customer-Managed Encryption Keys (CMEK) for Google Kubernetes Engine (GKE) Persistent Disks (PD) | lacework-global-778 | Manual | Automated | Medium |
| Control ID | Title | Lacework Policy ID | CIS Assessment | Lacework Assessment | Severity |
|---|---|---|---|---|---|
| 5.10.1 | Disable Kubernetes Web UI | lacework-global-779 | Automated | Automated | Medium |
| 5.10.2 | Ensure that Alpha clusters are not used for production workloads | lacework-global-780 | Automated | Automated | Medium |
| 5.10.3 | Enable Pod Security Policy and set as appropriate | lacework-global-781 | Manual | Manual | Medium |
| 5.10.4 | Consider Google Kubernetes Engine (GKE) Sandbox for running untrusted workloads | lacework-global-802 | Manual | Automated | Medium |
| 5.10.5 | Ensure use of Binary Authorization | lacework-global-803 | Automated | Automated | Medium |
| 5.10.6 | Enable Cloud Security Command Center (SCC) | lacework-global-782 | Manual | Manual | Medium |
Automated vs Manual Policies
Lacework automates compliance policies where possible. This allows the Lacework platform to monitor your environment resources to check whether they are compliant with the benchmark recommendations.
For some benchmark recommendations, it is not possible to automate the policy checks in a Google Cloud environment. These policies are manual, and you must verify such policies manually. Lacework provides the manual remediation steps for these policies (when available).
Automated Policies (that were deemed manual)
In some cases, Lacework can automate certain CIS benchmark controls that were deemed as manual by CIS.
The following table outlines the CIS Google Kubernetes Engine (GKE) 1.4.0 Benchmark policies that fall within this category:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 3.1.1 | lacework-global-729 | Set the proxy kubeconfig file permissions to 644 or more restrictive |
| 3.1.2 | lacework-global-730 | Set the proxy kubeconfig file ownership to root:root |
| 3.1.3 | lacework-global-731 | Ensure that the kubelet configuration file has permissions set to 644 or more restrictive |
| 3.1.4 | lacework-global-732 | Set the kubelet configuration file ownership to root:root |
| 3.2.4 | lacework-global-736 | Set the --read-only-port argument to 0 |
| 3.2.7 | lacework-global-739 | Ensure that the --hostname-override argument is not set |
| 4.1.1 | lacework-global-744 | Ensure that the cluster-admin role is only used where required |
| 4.1.2 | lacework-global-745 | Minimize access to secrets |
| 4.1.3 | lacework-global-746 | Minimize wildcard use in Roles |
| 4.1.3 | lacework-global-823 | Minimize wildcard use in ClusterRoles |
| 4.1.4 | lacework-global-747 | Minimize access to create pods in Roles |
| 4.1.4 | lacework-global-824 | Minimize access to create pods in ClusterRoles |
| 4.1.5 | lacework-global-748 | Ensure that default service accounts are not actively used in Roles |
| 4.1.5 | lacework-global-825 | Ensure that default service accounts are not actively used in ClusterRoles |
| 4.1.6 | lacework-global-749 | Ensure that Service Account Tokens are only mounted where necessary |
| 4.1.6 | lacework-global-826 | Ensure that default service accounts are not automatically mounting their Kubernetes API access token |
| 4.2.1 | lacework-global-750 | Minimize the admission of privileged containers |
| 4.2.2 | lacework-global-751 | Minimize the admission of containers wishing to share the host process ID namespace |
| 4.2.3 | lacework-global-752 | Minimize the admission of containers wishing to share the host Inter-Process Communication (IPC) namespace |
| 4.2.4 | lacework-global-753 | Minimize the admission of containers wishing to share the host network namespace |
| 4.2.5 | lacework-global-754 | Minimize the admission of containers with allowPrivilegeEscalation |
| 4.2.6 | lacework-global-783 | Minimize the admission of root containers |
| 4.2.7 | lacework-global-755 | Minimize the admission of containers with added capabilities |
| 5.1.4 | lacework-global-792 | Minimize Container Registries to only those approved |
| 5.2.2 | lacework-global-762 | Prefer using dedicated GCP Service Accounts and Workload Identity |
| 5.5.4 | lacework-global-767 | When creating New Clusters - Automate Google Kubernetes Engine (GKE) version management using Release Channels |
| 5.5.5 | lacework-global-768 | Enable Shielded Google Kubernetes Engine (GKE) Nodes |
| 5.6.7 | lacework-global-773 | Enable Network Policy and set as appropriate |
| 5.9.1 | lacework-global-778 | Enable Customer-Managed Encryption Keys (CMEK) for Google Kubernetes Engine (GKE) Persistent Disks (PD) |
| 5.10.4 | lacework-global-802 | Consider Google Kubernetes Engine (GKE) Sandbox for running untrusted workloads |
Manual Policies (that were deemed automated)
In some cases, Lacework cannot automate certain CIS benchmark controls that were deemed as automated by CIS.
This is often due to one of the following reasons:
- Scope is defined by the user.
- It requires configuring other products or API permissions that are out of scope.
- Known issues for audit procedure described by the CIS control.
The following table outlines the CIS GKE 1.4.0 Benchmark policies that fall within this category:
Click to expand
| CIS GKE 1.4.0 Control ID | Title | Lacework Policy ID |
|---|---|---|
| 5.1.1 | Ensure Image Vulnerability Scanning using Google Container Registry (GCR) Container Analysis or a third party provider | lacework-global-758 |
Adjusted Controls
4.1.3 Minimize wildcard use in Roles and ClusterRoles
This control has been split into two policies to check Roles and ClusterRoles separately.
The table below outlines each policy and their new title:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.3 | lacework-global-746 | Minimize wildcard use in Roles |
| 4.1.3 | lacework-global-823 | Minimize wildcard use in ClusterRoles |
4.1.4 Minimize access to create pods
This control has been split into two policies to check Roles and ClusterRoles separately.
The table below outlines each policy and their new title:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.4 | lacework-global-747 | Minimize access to create pods in Roles |
| 4.1.4 | lacework-global-824 | Minimize access to create pods in ClusterRoles |
4.1.5 Ensure that default service accounts are not actively used
This control has been split into two policies to check Roles and ClusterRoles separately.
The table below outlines each policy and their new title:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.5 | lacework-global-748 | Ensure that default service accounts are not actively used in Roles |
| 4.1.5 | lacework-global-825 | Ensure that default service accounts are not actively used in ClusterRoles |
4.1.6 Ensure that Service Account Tokens are only mounted where necessary
This control has been split into two policies to check Service Account Tokens and Kubernetes API access tokens separately.
The table below outlines each policy and their new title:
Click to expand
| Control ID | Lacework Policy ID | Title |
|---|---|---|
| 4.1.6 | lacework-global-749 | Ensure that Service Account Tokens are only mounted where necessary |
| 4.1.6 | lacework-global-826 | Ensure that default service accounts are not automatically mounting their Kubernetes API access token |