2.1.1 Client certificate authentication should not be used for users | ACCESS CONTROL |
2.2.1 Ensure that a minimal audit policy is created | AUDIT AND ACCOUNTABILITY |
2.2.2 Ensure that the audit policy covers key security concerns | AUDIT AND ACCOUNTABILITY |
4.1.1 Ensure that the cluster-admin role is only used where required | ACCESS CONTROL |
4.1.2 Minimize access to secrets | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
4.1.3 Minimize wildcard use in Roles and ClusterRoles | IDENTIFICATION AND AUTHENTICATION |
4.1.4 Minimize access to create pods | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
4.1.5 Ensure that default service accounts are not actively used. | ACCESS CONTROL |
4.1.6 Ensure that Service Account Tokens are only mounted where necessary | CONFIGURATION MANAGEMENT |
4.2.1 Minimize the admission of privileged containers | ACCESS CONTROL |
4.2.2 Minimize the admission of containers wishing to share the host process ID namespace | ACCESS CONTROL |
4.2.3 Minimize the admission of containers wishing to share the host IPC namespace | ACCESS CONTROL |
4.2.4 Minimize the admission of containers wishing to share the host network namespace | ACCESS CONTROL |
4.2.5 Minimize the admission of containers with allowPrivilegeEscalation | ACCESS CONTROL |
4.2.7 Minimize the admission of containers with added capabilities | ACCESS CONTROL |
4.3.1 Ensure that the CNI in use supports Network Policies | |
4.6.1 Create administrative boundaries between resources using namespaces | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
5.1.1 Ensure Image Vulnerability Scanning using GCR Container Analysis or a third party provider | RISK ASSESSMENT |
5.1.2 Minimize user access to GCR | ACCESS CONTROL, MEDIA PROTECTION |
5.1.3 Minimize cluster access to read-only for GCR | ACCESS CONTROL, MEDIA PROTECTION |
5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account | ACCESS CONTROL |
5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity | ACCESS CONTROL |
5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.4.1 Ensure legacy Compute Engine instance metadata APIs are Disabled | CONFIGURATION MANAGEMENT |
5.5.2 Ensure Node Auto-Repair is enabled for GKE nodes | RISK ASSESSMENT |
5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
5.5.4 When creating New Clusters - Automate GKE version management using Release Channels | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
5.5.5 Ensure Shielded GKE Nodes are Enabled | CONFIGURATION MANAGEMENT |
5.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | CONFIGURATION MANAGEMENT |
5.6.2 Ensure use of VPC-native clusters | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.6.3 Ensure Master Authorized Networks is Enabled | ACCESS CONTROL, MEDIA PROTECTION |
5.6.5 Ensure clusters are created with Private Nodes | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.6.7 Ensure Network Policy is Enabled and set as appropriate | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
5.7.1 Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled - loggingService | AUDIT AND ACCOUNTABILITY |
5.7.1 Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled - monitoringService | AUDIT AND ACCOUNTABILITY |
5.8.1 Ensure Basic Authentication using static passwords is Disabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
5.8.2 Ensure authentication using Client Certificates is Disabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
5.8.4 Ensure Legacy Authorization (ABAC) is Disabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
5.10.1 Ensure Kubernetes Web UI is Disabled | CONFIGURATION MANAGEMENT |
5.10.2 Ensure that Alpha clusters are not used for production workloads | SYSTEM AND COMMUNICATIONS PROTECTION |
5.10.3 Ensure Pod Security Policy is Enabled and set as appropriate | AUDIT AND ACCOUNTABILITY, INCIDENT RESPONSE, SYSTEM AND INFORMATION INTEGRITY |
5.10.6 Enable Cloud Security Command Center (Cloud SCC) | |