CIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.1.0 L1 Master

Updated: 12/19/2022

Authority: Cloud Services

Plugin: GCP

Revision: 1.3

Estimated Item Count: 42

Audit Items

DescriptionCategories
2.1.1 Client certificate authentication should not be used for users
2.2.1 Ensure that a minimal audit policy is created
4.1.1 Ensure that the cluster-admin role is only used where required
4.1.2 Minimize access to secrets
4.1.3 Minimize wildcard use in Roles and ClusterRoles
4.1.4 Minimize access to create pods
4.1.5 Ensure that default service accounts are not actively used.
4.1.6 Ensure that Service Account Tokens are only mounted where necessary
4.2.1 Minimize the admission of privileged containers
4.2.2 Minimize the admission of containers wishing to share the host process ID namespace
4.2.3 Minimize the admission of containers wishing to share the host IPC namespace
4.2.4 Minimize the admission of containers wishing to share the host network namespace
4.2.5 Minimize the admission of containers with allowPrivilegeEscalation
4.2.7 Minimize the admission of containers with the NET_RAW capability
4.2.8 Minimize the admission of containers with added capabilities
4.3.1 Ensure that the CNI in use supports Network Policies
4.6.1 Create administrative boundaries between resources using namespaces
5.1.1 Ensure Image Vulnerability Scanning using GCR Container Analysis or a third party provider
5.1.2 Minimize user access to GCR
5.1.3 Minimize cluster access to read-only for GCR
5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account
5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity
5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS
5.4.1 Ensure legacy Compute Engine instance metadata APIs are Disabled
5.5.2 Ensure Node Auto-Repair is enabled for GKE nodes
5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes
5.5.4 When creating New Clusters - Automate GKE version management using Release Channels
5.5.5 Ensure Shielded GKE Nodes are Enabled
5.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
5.6.2 Ensure use of VPC-native clusters
5.6.3 Ensure Master Authorized Networks is Enabled
5.6.5 Ensure clusters are created with Private Nodes
5.6.7 Ensure Network Policy is Enabled and set as appropriate
5.7.1 Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled - loggingService
5.7.1 Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled - monitoringService
5.8.1 Ensure Basic Authentication using static passwords is Disabled
5.8.2 Ensure authentication using Client Certificates is Disabled
5.8.4 Ensure Legacy Authorization (ABAC) is Disabled
5.10.1 Ensure Kubernetes Web UI is Disabled
5.10.2 Ensure that Alpha clusters are not used for production workloads
5.10.3 Ensure Pod Security Policy is Enabled and set as appropriate
5.10.6 Enable Cloud Security Command Center (Cloud SCC)