| 2.1.1 Client certificate authentication should not be used for users | ACCESS CONTROL |
| 4.1.1 Ensure that the cluster-admin role is only used where required | ACCESS CONTROL |
| 4.1.2 Minimize access to secrets | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.1.3 Minimize wildcard use in Roles and ClusterRoles | IDENTIFICATION AND AUTHENTICATION |
| 4.1.4 Ensure that default service accounts are not actively used | ACCESS CONTROL |
| 4.1.5 Ensure that Service Account Tokens are only mounted where necessary | CONFIGURATION MANAGEMENT |
| 4.1.6 Avoid use of system:masters group | ACCESS CONTROL |
| 4.1.7 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster | ACCESS CONTROL |
| 4.1.9 Avoid non-default bindings to system:unauthenticated | ACCESS CONTROL |
| 4.1.10 Avoid non-default bindings to system:authenticated | ACCESS CONTROL |
| 4.2.1 Ensure that the cluster enforces Pod Security Standard Baseline profile or stricter for all namespaces. | ACCESS CONTROL |
| 4.3.1 Ensure that the CNI in use supports Network Policies | CONFIGURATION MANAGEMENT |
| 4.6.1 Create administrative boundaries between resources using namespaces | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account | IDENTIFICATION AND AUTHENTICATION |
| 5.5.1 Ensure Container-Optimized OS (cos_containerd) is used for GKE node images | CONFIGURATION MANAGEMENT |
| 5.5.4 When creating New Clusters - Automate GKE version management using Release Channels | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.5.5 Ensure Shielded GKE Nodes are Enabled | CONFIGURATION MANAGEMENT |
| 5.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | RISK ASSESSMENT |
| 5.6.2 Ensure use of VPC-native clusters | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.6.5 Ensure clusters are created with Private Nodes | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.1 Ensure Logging and Cloud Monitoring is Enabled | AUDIT AND ACCOUNTABILITY |
| 5.8.1 Ensure authentication using Client Certificates is Disabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.8.3 Ensure Legacy Authorization (ABAC) is Disabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.10.1 Ensure Kubernetes Web UI is Disabled | CONFIGURATION MANAGEMENT |
| 5.10.2 Ensure that Alpha clusters are not used for production workloads | SYSTEM AND COMMUNICATIONS PROTECTION |
