CIS Google Kubernetes Engine (GKE) v1.3.0 L1

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.3.0 L1

Updated: 3/7/2023

Authority: CIS

Plugin: GCP

Revision: 1.2

Estimated Item Count: 43

File Details

Filename: CIS_Google_Kubernetes_Engine_GKE_v1.3.0_L1.audit

Size: 129 kB

MD5: 595f2746e0f094e6dffc21a748f0a4ac
SHA256: 719cd934c533105757b88b947be35bf83617c4e8016fd709aac61be6009ebcb9

Audit Items

DescriptionCategories
2.1.1 Client certificate authentication should not be used for users

ACCESS CONTROL

2.2.1 Ensure that a minimal audit policy is created

AUDIT AND ACCOUNTABILITY

2.2.2 Ensure that the audit policy covers key security concerns

AUDIT AND ACCOUNTABILITY

4.1.1 Ensure that the cluster-admin role is only used where required

ACCESS CONTROL

4.1.2 Minimize access to secrets

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

4.1.3 Minimize wildcard use in Roles and ClusterRoles

IDENTIFICATION AND AUTHENTICATION

4.1.4 Minimize access to create pods

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

4.1.5 Ensure that default service accounts are not actively used.

ACCESS CONTROL

4.1.6 Ensure that Service Account Tokens are only mounted where necessary

CONFIGURATION MANAGEMENT

4.2.1 Minimize the admission of privileged containers

ACCESS CONTROL

4.2.2 Minimize the admission of containers wishing to share the host process ID namespace

ACCESS CONTROL

4.2.3 Minimize the admission of containers wishing to share the host IPC namespace

ACCESS CONTROL

4.2.4 Minimize the admission of containers wishing to share the host network namespace

ACCESS CONTROL

4.2.5 Minimize the admission of containers with allowPrivilegeEscalation

ACCESS CONTROL

4.2.7 Minimize the admission of containers with added capabilities

ACCESS CONTROL

4.3.1 Ensure that the CNI in use supports Network Policies
4.6.1 Create administrative boundaries between resources using namespaces

ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY

5.1.1 Ensure Image Vulnerability Scanning using GCR Container Analysis or a third party provider

RISK ASSESSMENT

5.1.2 Minimize user access to GCR

ACCESS CONTROL, MEDIA PROTECTION

5.1.3 Minimize cluster access to read-only for GCR

ACCESS CONTROL, MEDIA PROTECTION

5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account

ACCESS CONTROL

5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity

ACCESS CONTROL

5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.4.1 Ensure legacy Compute Engine instance metadata APIs are Disabled

CONFIGURATION MANAGEMENT

5.5.2 Ensure Node Auto-Repair is enabled for GKE nodes

RISK ASSESSMENT

5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

5.5.4 When creating New Clusters - Automate GKE version management using Release Channels

RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY

5.5.5 Ensure Shielded GKE Nodes are Enabled

CONFIGURATION MANAGEMENT

5.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled

CONFIGURATION MANAGEMENT

5.6.2 Ensure use of VPC-native clusters

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.6.3 Ensure Master Authorized Networks is Enabled

ACCESS CONTROL, MEDIA PROTECTION

5.6.5 Ensure clusters are created with Private Nodes

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.6.7 Ensure Network Policy is Enabled and set as appropriate

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

5.7.1 Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled - loggingService

AUDIT AND ACCOUNTABILITY

5.7.1 Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled - monitoringService

AUDIT AND ACCOUNTABILITY

5.8.1 Ensure Basic Authentication using static passwords is Disabled

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.8.2 Ensure authentication using Client Certificates is Disabled

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.8.4 Ensure Legacy Authorization (ABAC) is Disabled

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD)

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.10.1 Ensure Kubernetes Web UI is Disabled

CONFIGURATION MANAGEMENT

5.10.2 Ensure that Alpha clusters are not used for production workloads

SYSTEM AND COMMUNICATIONS PROTECTION

5.10.3 Ensure Pod Security Policy is Enabled and set as appropriate

AUDIT AND ACCOUNTABILITY, INCIDENT RESPONSE, SYSTEM AND INFORMATION INTEGRITY

5.10.6 Enable Cloud Security Command Center (Cloud SCC)