CIS Google Kubernetes Engine (GKE) v1.6.1 L2

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.6.1 L2

Updated: 10/28/2024

Authority: CIS

Plugin: GCP

Revision: 1.0

Estimated Item Count: 30

File Details

Filename: CIS_Google_Kubernetes_Engine_GKE_v1.6.1_L2.audit

Size: 95.3 kB

MD5: bc811a7d2abebabf39217c199065a72d
SHA256: 942dacdd72e8826a0d3ea9bbe5d1251a4976f2106a14699e57aa224bcf996eb0

Audit Items

DescriptionCategories
4.1.8 Avoid bindings to system:anonymous

ACCESS CONTROL

4.3.2 Ensure that all Namespaces have Network Policies defined

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.4.1 Prefer using secrets as files over secrets as environment variables

SYSTEM AND COMMUNICATIONS PROTECTION

4.4.2 Consider external secret storage

SYSTEM AND COMMUNICATIONS PROTECTION

4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller

CONFIGURATION MANAGEMENT, MAINTENANCE

4.6.2 Ensure that the seccomp profile is set to RuntimeDefault in the pod definitions

CONFIGURATION MANAGEMENT

4.6.3 Apply Security Context to Pods and Containers

CONFIGURATION MANAGEMENT

4.6.4 The default namespace should not be used

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

5.1.1 Ensure Image Vulnerability Scanning is enabled

RISK ASSESSMENT

5.1.2 Minimize user access to Container Image repositories

ACCESS CONTROL, MEDIA PROTECTION

5.1.3 Minimize cluster access to read-only for Container Image repositories

ACCESS CONTROL, MEDIA PROTECTION

5.1.4 Ensure only trusted container images are used

CONFIGURATION MANAGEMENT

5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity

IDENTIFICATION AND AUTHENTICATION

5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.4.1 Ensure the GKE Metadata Server is Enabled

CONFIGURATION MANAGEMENT

5.5.2 Ensure Node Auto-Repair is enabled for GKE nodes

RISK ASSESSMENT

5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

5.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled

RISK ASSESSMENT

5.6.1 Enable VPC Flow Logs and Intranode Visibility

AUDIT AND ACCOUNTABILITY

5.6.3 Ensure Control Plane Authorized Networks is Enabled

ACCESS CONTROL, MEDIA PROTECTION

5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.6.6 Consider firewalling GKE worker nodes

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.6.7 Ensure use of Google-managed SSL Certificates

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.7.2 Enable Linux auditd logging

AUDIT AND ACCOUNTABILITY

5.8.2 Manage Kubernetes RBAC users with Google Groups for GKE

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.9.2 Enable Customer-Managed Encryption Keys (CMEK) for Boot Disks

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.10.3 Consider GKE Sandbox for running untrusted workloads

SYSTEM AND COMMUNICATIONS PROTECTION

5.10.4 Ensure use of Binary Authorization

CONFIGURATION MANAGEMENT

5.10.5 Enable Security Posture

CONFIGURATION MANAGEMENT