CIS GKE 1.4.0 | Lacework Documentation

📄️ 2.1.1

2.1.1 Do not use client certificate authentication for users (Manual)

📄️ 2.2.1

2.2.1 Create a minimal audit policy (Manual)

📄️ 2.2.2

2.2.2 Ensure that the audit policy covers key security concerns (Manual)

📄️ 3.1.1

3.1.1 Set the proxy kubeconfig file permissions to 644 or more restrictive (Automated)

📄️ 3.1.2

3.1.2 Set the proxy kubeconfig file ownership to root:root (Automated)

📄️ 3.1.3

3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)

📄️ 3.1.4

3.1.4 Set the kubelet configuration file ownership to root:root (Automated)

📄️ 3.2.1

3.2.1 Set the --anonymous-auth argument to false (Automated)

📄️ 3.2.2

3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

📄️ 3.2.3

3.2.3 Set the --client-ca-file argument as appropriate (Automated)

📄️ 3.2.4

3.2.4 Set the --read-only-port argument to 0 (Automated)

📄️ 3.2.5

3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)

📄️ 3.2.6

3.2.6 Set the --make-iptables-util-chains argument to true (Automated)

📄️ 3.2.7

3.2.7 Ensure that the --hostname-override argument is not set (Automated)

📄️ 3.2.8

3.2.8 Set the --eventrecordqps argument to 5 or higher to ensure appropriate event capture (Automated)

📄️ 3.2.9

3.2.9 Set the --tls-cert-file and --tls-private-key-file arguments as appropriate (Automated)

📄️ 3.2.10

3.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)

📄️ 3.2.11

3.2.11 Set the RotateKubeletServerCertificate argument to true (Automated)

📄️ 4.1.1

4.1.1 Ensure that the cluster-admin role is only used where required (Automated)

📄️ 4.1.2

4.1.2 Minimize access to secrets (Automated)

📄️ 4.1.3

4.1.3 Minimize wildcard use in Roles (Automated)

📄️ 4.1.3

4.1.3 Minimize wildcard use in ClusterRoles (Automated)

📄️ 4.1.4

4.1.4 Minimize access to create pods in Roles (Automated)

📄️ 4.1.4

4.1.4 Minimize access to create pods in ClusterRoles (Automated)

📄️ 4.1.5

4.1.5 Ensure that default service accounts are not actively used in Roles (Automated)

📄️ 4.1.5

4.1.5 Ensure that default service accounts are not actively used in ClusterRoles (Automated)

📄️ 4.1.6

4.1.6 Ensure that Service Account Tokens are only mounted where necessary (Automated)

📄️ 4.1.6

4.1.6 Ensure that default service accounts are not automatically mounting their Kubernetes API access token (Automated)

📄️ 4.2.1

4.2.1 Minimize the admission of privileged containers (Automated)

📄️ 4.2.2

4.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Automated)

📄️ 4.2.3

4.2.3 Minimize the admission of containers wishing to share the host Inter-Process Communication (IPC) namespace (Automated)

📄️ 4.2.4

4.2.4 Minimize the admission of containers wishing to share the host network namespace (Automated)

📄️ 4.2.5

4.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Automated)

📄️ 4.2.6

4.2.6 Minimize the admission of root containers (Automated)

📄️ 4.2.7

4.2.7 Minimize the admission of containers with added capabilities (Automated)

📄️ 4.2.8

4.2.8 Minimize the admission of containers with capabilities assigned (Manual)

📄️ 4.3.1

4.3.1 Ensure that the Container Network Interface (CNI) in use supports Network Policies (Manual)

📄️ 4.3.2

4.3.2 Ensure that all Namespaces have Network Policies defined (Manual)

📄️ 4.4.1

4.4.1 Prefer using secrets as files over secrets as environment variables (Manual)

📄️ 4.4.2

4.4.2 Consider external secret storage (Manual)

📄️ 4.5.1

4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)

📄️ 4.6.1

4.6.1 Create administrative boundaries between resources using namespaces (Manual)

📄️ 4.6.2

4.6.2 Set the seccomp profile to docker/default in the pod definitions (Manual)

📄️ 4.6.3

4.6.3 Apply Security Context to Pods and Containers (Manual)

📄️ 4.6.4

4.6.4 Do not use the default namespace (Manual)

📄️ 5.1.1

5.1.1 Ensure Image Vulnerability Scanning using Google Container Registry (GCR) Container Analysis or a third party provider (Manual)

📄️ 5.1.2

5.1.2 Minimize user access to Google Container Registry (GCR) (Manual)

📄️ 5.1.3

5.1.3 Minimize cluster access to read-only for Google Container Registry (GCR) (Manual)

📄️ 5.1.4

5.1.4 Minimize Container Registries to only those approved (Automated)

📄️ 5.2.1

5.2.1 Ensure Google Kubernetes Engine (GKE) clusters are not running using the Compute Engine default service account (Automated)

📄️ 5.2.2

5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity (Automated)

📄️ 5.3.1

5.3.1 Encrypt Kubernetes Secrets using keys managed in Cloud Key Management Service (KMS) (Automated)

📄️ 5.4.1

5.4.1 Disable legacy Compute Engine instance metadata APIs (Automated)

📄️ 5.4.2

5.4.2 Enable the Google Kubernetes Engine (GKE) Metadata Server (Automated)

📄️ 5.5.1

5.5.1 Use Container-Optimized OS (cos_containerd) for Google Kubernetes Engine (GKE) node images (Automated)

📄️ 5.5.2

5.5.2 Enable Node Auto-Repair for Google Kubernetes Engine (GKE) nodes (Automated)

📄️ 5.5.3

5.5.3 Enable Node Auto-Upgrade for Google Kubernetes Engine (GKE) nodes (Automated)

📄️ 5.5.4

5.5.4 When creating New Clusters - Automate Google Kubernetes Engine (GKE) version management using Release Channels (Automated)

📄️ 5.5.5

5.5.5 Enable Shielded Google Kubernetes Engine (GKE) Nodes (Automated)

📄️ 5.5.6

5.5.6 Enable Integrity Monitoring for Shielded Google Kubernetes Engine (GKE) Nodes (Automated)

📄️ 5.5.7

5.5.7 Enable Secure Boot for Shielded Google Kubernetes Engine (GKE) Nodes (Automated)

📄️ 5.6.1

5.6.1 Enable Virtual Private Cloud (VPC) Flow Logs and Intranode Visibility (Automated)

📄️ 5.6.2

5.6.2 Ensure use of Virtual Private Cloud (VPC) native clusters (Automated)

📄️ 5.6.3

5.6.3 Enable Control Plane Authorized Networks (Automated)

📄️ 5.6.4

5.6.4 Create clusters with Private Endpoint Enabled and Public Access Disabled (Automated)

📄️ 5.6.5

5.6.5 Create clusters with Private Nodes (Automated)

📄️ 5.6.6

5.6.6 Consider firewalling Google Kubernetes Engine (GKE) worker nodes (Manual)

📄️ 5.6.7

5.6.7 Enable Network Policy and set as appropriate (Automated)

📄️ 5.6.8

5.6.8 Ensure use of Google-managed SSL Certificates (Manual)

📄️ 5.7.1

5.7.1 Enable Logging and Cloud Monitoring (Automated)

📄️ 5.7.2

5.7.2 Enable Linux auditd logging (Manual)

📄️ 5.8.1

5.8.1 Disable Basic Authentication using static passwords (Automated)

📄️ 5.8.2

5.8.2 Disable authentication using Client Certificates (Automated)

📄️ 5.8.3

5.8.3 Manage Kubernetes Role-Based Access Control (RBAC) users with Google Groups for Google Kubernetes Engine (GKE) (Manual)

📄️ 5.8.4

5.8.4 Disable Legacy Attribute-Based Access Control (ABAC) (Automated)

📄️ 5.9.1

5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for Google Kubernetes Engine (GKE) Persistent Disks (PD) (Automated)

📄️ 5.10.1

5.10.1 Disable Kubernetes Web UI (Automated)

📄️ 5.10.2

5.10.2 Ensure that Alpha clusters are not used for production workloads (Automated)

📄️ 5.10.3

5.10.3 Enable Pod Security Policy and set as appropriate (Manual)

📄️ 5.10.4

5.10.4 Consider Google Kubernetes Engine (GKE) Sandbox for running untrusted workloads (Automated)

📄️ 5.10.5

5.10.5 Ensure use of Binary Authorization (Automated)

📄️ 5.10.6

5.10.6 Enable Cloud Security Command Center (SCC) (Manual)