📄️ 2.1.1
2.1.1 Do not use client certificate authentication for users (Manual)
📄️ 2.2.1
2.2.1 Create a minimal audit policy (Manual)
📄️ 2.2.2
2.2.2 Ensure that the audit policy covers key security concerns (Manual)
📄️ 3.1.1
3.1.1 Set the proxy kubeconfig file permissions to 644 or more restrictive (Automated)
📄️ 3.1.2
3.1.2 Set the proxy kubeconfig file ownership to root:root (Automated)
📄️ 3.1.3
3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)
📄️ 3.1.4
3.1.4 Set the kubelet configuration file ownership to root:root (Automated)
📄️ 3.2.1
3.2.1 Set the --anonymous-auth argument to false (Automated)
📄️ 3.2.2
3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
📄️ 3.2.3
3.2.3 Set the --client-ca-file argument as appropriate (Automated)
📄️ 3.2.4
3.2.4 Set the --read-only-port argument to 0 (Automated)
📄️ 3.2.5
3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)
📄️ 3.2.6
3.2.6 Set the --make-iptables-util-chains argument to true (Automated)
📄️ 3.2.7
3.2.7 Ensure that the --hostname-override argument is not set (Automated)
📄️ 3.2.8
3.2.8 Set the --eventrecordqps argument to 5 or higher to ensure appropriate event capture (Automated)
📄️ 3.2.9
3.2.9 Set the --tls-cert-file and --tls-private-key-file arguments as appropriate (Automated)
📄️ 3.2.10
3.2.10 Ensure that the --rotate-certificates argument is not set to false (Automated)
📄️ 3.2.11
3.2.11 Set the RotateKubeletServerCertificate argument to true (Automated)
📄️ 4.1.1
4.1.1 Ensure that the cluster-admin role is only used where required (Automated)
📄️ 4.1.2
4.1.2 Minimize access to secrets (Automated)
📄️ 4.1.3
4.1.3 Minimize wildcard use in Roles (Automated)
📄️ 4.1.3
4.1.3 Minimize wildcard use in ClusterRoles (Automated)
📄️ 4.1.4
4.1.4 Minimize access to create pods in Roles (Automated)
📄️ 4.1.4
4.1.4 Minimize access to create pods in ClusterRoles (Automated)
📄️ 4.1.5
4.1.5 Ensure that default service accounts are not actively used in Roles (Automated)
📄️ 4.1.5
4.1.5 Ensure that default service accounts are not actively used in ClusterRoles (Automated)
📄️ 4.1.6
4.1.6 Ensure that Service Account Tokens are only mounted where necessary (Automated)
📄️ 4.1.6
4.1.6 Ensure that default service accounts are not automatically mounting their Kubernetes API access token (Automated)
📄️ 4.2.1
4.2.1 Minimize the admission of privileged containers (Automated)
📄️ 4.2.2
4.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Automated)
📄️ 4.2.3
4.2.3 Minimize the admission of containers wishing to share the host Inter-Process Communication (IPC) namespace (Automated)
📄️ 4.2.4
4.2.4 Minimize the admission of containers wishing to share the host network namespace (Automated)
📄️ 4.2.5
4.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Automated)
📄️ 4.2.6
4.2.6 Minimize the admission of root containers (Automated)
📄️ 4.2.7
4.2.7 Minimize the admission of containers with added capabilities (Automated)
📄️ 4.2.8
4.2.8 Minimize the admission of containers with capabilities assigned (Manual)
📄️ 4.3.1
4.3.1 Ensure that the Container Network Interface (CNI) in use supports Network Policies (Manual)
📄️ 4.3.2
4.3.2 Ensure that all Namespaces have Network Policies defined (Manual)
📄️ 4.4.1
4.4.1 Prefer using secrets as files over secrets as environment variables (Manual)
📄️ 4.4.2
4.4.2 Consider external secret storage (Manual)
📄️ 4.5.1
4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)
📄️ 4.6.1
4.6.1 Create administrative boundaries between resources using namespaces (Manual)
📄️ 4.6.2
4.6.2 Set the seccomp profile to docker/default in the pod definitions (Manual)
📄️ 4.6.3
4.6.3 Apply Security Context to Pods and Containers (Manual)
📄️ 4.6.4
4.6.4 Do not use the default namespace (Manual)
📄️ 5.1.1
5.1.1 Ensure Image Vulnerability Scanning using Google Container Registry (GCR) Container Analysis or a third party provider (Manual)
📄️ 5.1.2
5.1.2 Minimize user access to Google Container Registry (GCR) (Manual)
📄️ 5.1.3
5.1.3 Minimize cluster access to read-only for Google Container Registry (GCR) (Manual)
📄️ 5.1.4
5.1.4 Minimize Container Registries to only those approved (Automated)
📄️ 5.2.1
5.2.1 Ensure Google Kubernetes Engine (GKE) clusters are not running using the Compute Engine default service account (Automated)
📄️ 5.2.2
5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity (Automated)
📄️ 5.3.1
5.3.1 Encrypt Kubernetes Secrets using keys managed in Cloud Key Management Service (KMS) (Automated)
📄️ 5.4.1
5.4.1 Disable legacy Compute Engine instance metadata APIs (Automated)
📄️ 5.4.2
5.4.2 Enable the Google Kubernetes Engine (GKE) Metadata Server (Automated)
📄️ 5.5.1
5.5.1 Use Container-Optimized OS (cos_containerd) for Google Kubernetes Engine (GKE) node images (Automated)
📄️ 5.5.2
5.5.2 Enable Node Auto-Repair for Google Kubernetes Engine (GKE) nodes (Automated)
📄️ 5.5.3
5.5.3 Enable Node Auto-Upgrade for Google Kubernetes Engine (GKE) nodes (Automated)
📄️ 5.5.4
5.5.4 When creating New Clusters - Automate Google Kubernetes Engine (GKE) version management using Release Channels (Automated)
📄️ 5.5.5
5.5.5 Enable Shielded Google Kubernetes Engine (GKE) Nodes (Automated)
📄️ 5.5.6
5.5.6 Enable Integrity Monitoring for Shielded Google Kubernetes Engine (GKE) Nodes (Automated)
📄️ 5.5.7
5.5.7 Enable Secure Boot for Shielded Google Kubernetes Engine (GKE) Nodes (Automated)
📄️ 5.6.1
5.6.1 Enable Virtual Private Cloud (VPC) Flow Logs and Intranode Visibility (Automated)
📄️ 5.6.2
5.6.2 Ensure use of Virtual Private Cloud (VPC) native clusters (Automated)
📄️ 5.6.3
5.6.3 Enable Control Plane Authorized Networks (Automated)
📄️ 5.6.4
5.6.4 Create clusters with Private Endpoint Enabled and Public Access Disabled (Automated)
📄️ 5.6.5
5.6.5 Create clusters with Private Nodes (Automated)
📄️ 5.6.6
5.6.6 Consider firewalling Google Kubernetes Engine (GKE) worker nodes (Manual)
📄️ 5.6.7
5.6.7 Enable Network Policy and set as appropriate (Automated)
📄️ 5.6.8
5.6.8 Ensure use of Google-managed SSL Certificates (Manual)
📄️ 5.7.1
5.7.1 Enable Logging and Cloud Monitoring (Automated)
📄️ 5.7.2
5.7.2 Enable Linux auditd logging (Manual)
📄️ 5.8.1
5.8.1 Disable Basic Authentication using static passwords (Automated)
📄️ 5.8.2
5.8.2 Disable authentication using Client Certificates (Automated)
📄️ 5.8.3
5.8.3 Manage Kubernetes Role-Based Access Control (RBAC) users with Google Groups for Google Kubernetes Engine (GKE) (Manual)
📄️ 5.8.4
5.8.4 Disable Legacy Attribute-Based Access Control (ABAC) (Automated)
📄️ 5.9.1
5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for Google Kubernetes Engine (GKE) Persistent Disks (PD) (Automated)
📄️ 5.10.1
5.10.1 Disable Kubernetes Web UI (Automated)
📄️ 5.10.2
5.10.2 Ensure that Alpha clusters are not used for production workloads (Automated)
📄️ 5.10.3
5.10.3 Enable Pod Security Policy and set as appropriate (Manual)
📄️ 5.10.4
5.10.4 Consider Google Kubernetes Engine (GKE) Sandbox for running untrusted workloads (Automated)
📄️ 5.10.5
5.10.5 Ensure use of Binary Authorization (Automated)
📄️ 5.10.6
5.10.6 Enable Cloud Security Command Center (SCC) (Manual)