| 3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.2 Ensure that the proxy kubeconfig file ownership is set to root:root | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.3 Ensure that the kubelet configuration file has permissions set to 644 | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.4 Ensure that the kubelet configuration file ownership is set to root:root | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1 Ensure that the Anonymous Auth is Not Enabled Draft | ACCESS CONTROL |
| 3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow | ACCESS CONTROL |
| 3.2.3 Ensure that a Client CA File is Configured | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.4 Ensure that the --read-only-port is disabled | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.6 Ensure that the --make-iptables-util-chains argument is set to true | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.7 Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture | AUDIT AND ACCOUNTABILITY |
| 3.2.8 Ensure that the --rotate-certificates argument is not present or is set to true | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.9 Ensure that the RotateKubeletServerCertificate argument is set to true | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| CIS_Google_Kubernetes_Engine_GKE_v1.7.0_L1.audit from CIS Google Kubernetes Engine (GKE) Benchmark v1.7.0 | |
