Detections
Analytics

CIS Google Kubernetes Engine (GKE) v1.3.0 L2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.3.0 L2

Updated: 7/25/2023

Authority: CIS

Plugin: GCP

Revision: 1.3

Estimated Item Count: 21

Audit Items

DescriptionCategories
4.2.6 Minimize the admission of root containers
4.2.8 Minimize the admission of containers with capabilities assigned
4.3.2 Ensure that all Namespaces have Network Policies defined
4.4.1 Prefer using secrets as files over secrets as environment variables
4.4.2 Consider external secret storage
4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller
4.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions
4.6.3 Apply Security Context to Your Pods and Containers
4.6.4 The default namespace should not be used
5.1.4 Minimize Container Registries to only those approved
5.4.2 Ensure the GKE Metadata Server is Enabled
5.5.1 Ensure Container-Optimized OS (cos_containerd) is used for GKE node images
5.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled
5.6.1 Enable VPC Flow Logs and Intranode Visibility
5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
5.6.6 Consider firewalling GKE worker nodes
5.6.8 Ensure use of Google-managed SSL Certificates
5.7.2 Enable Linux auditd logging
5.8.3 Manage Kubernetes RBAC users with Google Groups for GKE
5.10.4 Consider GKE Sandbox for running untrusted workloads
5.10.5 Ensure use of Binary Authorization