CIS Google Kubernetes Engine (GKE) v1.3.0 L1 Node

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.3.0 L1 Node

Updated: 4/12/2023

Authority: CIS

Plugin: Unix

Revision: 1.3

Estimated Item Count: 18

File Details

Filename: CIS_Google_Kubernetes_Engine_GKE_v1.3.0_L1_Node.audit

Size: 108 kB

MD5: c8e3f5c7bf3ebca59995100fc2c6c124
SHA256: ff35e4eab311055c124819e75f6acee45866f98d92c31b73586ada7d70b75c49

Audit Items

DescriptionCategories
3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

3.1.2 Ensure that the proxy kubeconfig file ownership is set to root:root

ACCESS CONTROL, MEDIA PROTECTION

3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

3.1.4 Ensure that the kubelet configuration file ownership is set to root:root

ACCESS CONTROL, MEDIA PROTECTION

3.2.1 Ensure that the --anonymous-auth argument is set to false

ACCESS CONTROL

3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow

ACCESS CONTROL

3.2.3 Ensure that the --client-ca-file argument is set as appropriate

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.4 Ensure that the --read-only-port argument is set to 0

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.6 Ensure that the --protect-kernel-defaults argument is set to true

CONFIGURATION MANAGEMENT

3.2.7 Ensure that the --make-iptables-util-chains argument is set to true

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.8 Ensure that the --hostname-override argument is not set

CONFIGURATION MANAGEMENT

3.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture

AUDIT AND ACCOUNTABILITY

3.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.11 Ensure that the --rotate-certificates argument is not set to false

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

CIS_Google_Kubernetes_Engine_GKE_v1.3.0_L1_Node.audit from CIS Google Kubernetes Engine (GKE) Benchmark