Detections
Analytics

CIS Google Kubernetes Engine (GKE) Autopilot v1.1.0 L2

Audit Details

Name: CIS Google Kubernetes Engine (GKE) Autopilot v1.1.0 L2

Updated: 2/28/2025

Authority: CIS

Plugin: GCP

Revision: 1.0

Estimated Item Count: 19

File Details

Filename: CIS_Google_Kubernetes_Engine_GKE_Autopilot_v1.1.0_L2.audit

Size: 65.9 kB

MD5: 9f285695d2982bc3012853a3fe902cdc
SHA256: 165ab9a22869de30d0364ecc6491442736c3c6065b5dd5e97d08f29ff2189654

Audit Items

DescriptionCategories
4.3.1 Ensure that all Namespaces have Network Policies defined

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.4.1 Consider external secret storage

SYSTEM AND COMMUNICATIONS PROTECTION

4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller

CONFIGURATION MANAGEMENT, MAINTENANCE

4.6.2 Ensure that the seccomp profile is set to RuntimeDefault in the pod definitions

CONFIGURATION MANAGEMENT

4.6.3 Apply Security Context to Pods and Containers

CONFIGURATION MANAGEMENT

4.6.4 The default namespace should not be used

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.1 Ensure Image Vulnerability Scanning is enabled

RISK ASSESSMENT

5.1.2 Minimize user access to Container Image repositories

ACCESS CONTROL, MEDIA PROTECTION

5.1.3 Minimize cluster access to read-only for Container Image repositories

ACCESS CONTROL, MEDIA PROTECTION

5.1.4 Ensure only trusted container images are used

CONFIGURATION MANAGEMENT

5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account

IDENTIFICATION AND AUTHENTICATION

5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.4.2 Ensure Control Plane Authorized Networks is Enabled

ACCESS CONTROL, MEDIA PROTECTION

5.4.3 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.4.4 Ensure clusters are created with Private Nodes

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.4.5 Ensure use of Google-managed SSL Certificates

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.5.1 Manage Kubernetes RBAC users with Google Groups for GKE

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.6.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.7.1 Enable Security Posture

CONFIGURATION MANAGEMENT