4.1.8 Avoid bindings to system:anonymous | ACCESS CONTROL |
4.3.2 Ensure that all Namespaces have Network Policies defined | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
4.4.1 Prefer using secrets as files over secrets as environment variables | SYSTEM AND COMMUNICATIONS PROTECTION |
4.4.2 Consider external secret storage | SYSTEM AND COMMUNICATIONS PROTECTION |
4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller | CONFIGURATION MANAGEMENT, MAINTENANCE |
4.6.2 Ensure that the seccomp profile is set to RuntimeDefault in the pod definitions | CONFIGURATION MANAGEMENT |
4.6.3 Apply Security Context to Pods and Containers | CONFIGURATION MANAGEMENT |
4.6.4 The default namespace should not be used | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.1.1 Ensure Image Vulnerability Scanning is enabled | RISK ASSESSMENT |
5.1.2 Minimize user access to Container Image repositories | ACCESS CONTROL, MEDIA PROTECTION |
5.1.3 Minimize cluster access to read-only for Container Image repositories | ACCESS CONTROL, MEDIA PROTECTION |
5.1.4 Ensure only trusted container images are used | CONFIGURATION MANAGEMENT |
5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity | IDENTIFICATION AND AUTHENTICATION |
5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.4.1 Ensure the GKE Metadata Server is Enabled | CONFIGURATION MANAGEMENT |
5.5.2 Ensure Node Auto-Repair is enabled for GKE nodes | RISK ASSESSMENT |
5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
5.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled | RISK ASSESSMENT |
5.6.1 Enable VPC Flow Logs and Intranode Visibility | AUDIT AND ACCOUNTABILITY |
5.6.3 Ensure Control Plane Authorized Networks is Enabled | ACCESS CONTROL, MEDIA PROTECTION |
5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.6.6 Consider firewalling GKE worker nodes | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.6.7 Ensure use of Google-managed SSL Certificates | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.7.2 Enable Linux auditd logging | AUDIT AND ACCOUNTABILITY |
5.8.2 Manage Kubernetes RBAC users with Google Groups for GKE | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.9.2 Enable Customer-Managed Encryption Keys (CMEK) for Boot Disks | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.10.3 Consider GKE Sandbox for running untrusted workloads | SYSTEM AND COMMUNICATIONS PROTECTION |
5.10.4 Ensure use of Binary Authorization | CONFIGURATION MANAGEMENT |
5.10.5 Enable Security Posture | CONFIGURATION MANAGEMENT |