| 4.1.8 Avoid bindings to system:anonymous | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 4.3.1 Ensure that all Namespaces have Network Policies defined | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4.1 Consider external secret storage | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 4.6.2 Ensure that the seccomp profile is set to RuntimeDefault in the pod definitions | CONFIGURATION MANAGEMENT |
| 4.6.3 Apply Security Context to Pods and Containers | CONFIGURATION MANAGEMENT |
| 4.6.4 The default namespace should not be used | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.1 Ensure Image Vulnerability Scanning is enabled | RISK ASSESSMENT |
| 5.1.2 Minimize user access to Container Image repositories | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.3 Minimize cluster access to read-only for Container Image repositories | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.4 Ensure only trusted container images are used | CONFIGURATION MANAGEMENT |
| 5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account | IDENTIFICATION AND AUTHENTICATION |
| 5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4.2 Ensure Control Plane Authorized Networks is Enabled | ACCESS CONTROL, MEDIA PROTECTION |
| 5.4.3 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4.4 Ensure clusters are created with Private Nodes | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4.5 Ensure use of Google-managed SSL Certificates | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.5.1 Manage Kubernetes RBAC users with Google Groups for GKE | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.6.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.1 Enable Security Posture | CONFIGURATION MANAGEMENT |
