CIS Google Kubernetes Engine (GKE) v1.3.0 L2

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.3.0 L2

Updated: 3/7/2023

Authority: CIS

Plugin: GCP

Revision: 1.2

Estimated Item Count: 21

File Details

Filename: CIS_Google_Kubernetes_Engine_GKE_v1.3.0_L2.audit

Size: 56.7 kB

MD5: 156364995042b18af7023a09577f10d7
SHA256: 7cb61e0d028272e74fa5bae5168ad72631e327f0109a1c0e89542f44b057d04b

Audit Items

DescriptionCategories
4.2.6 Minimize the admission of root containers

ACCESS CONTROL

4.2.8 Minimize the admission of containers with capabilities assigned

ACCESS CONTROL

4.3.2 Ensure that all Namespaces have Network Policies defined

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.4.1 Prefer using secrets as files over secrets as environment variables

SYSTEM AND COMMUNICATIONS PROTECTION

4.4.2 Consider external secret storage

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller

CONFIGURATION MANAGEMENT, MAINTENANCE

4.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions

CONFIGURATION MANAGEMENT

4.6.3 Apply Security Context to Your Pods and Containers

CONFIGURATION MANAGEMENT, MAINTENANCE

4.6.4 The default namespace should not be used

CONFIGURATION MANAGEMENT, MAINTENANCE

5.1.4 Minimize Container Registries to only those approved

CONFIGURATION MANAGEMENT

5.4.2 Ensure the GKE Metadata Server is Enabled

CONFIGURATION MANAGEMENT

5.5.1 Ensure Container-Optimized OS (cos_containerd) is used for GKE node images

CONFIGURATION MANAGEMENT

5.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled

CONFIGURATION MANAGEMENT

5.6.1 Enable VPC Flow Logs and Intranode Visibility

AUDIT AND ACCOUNTABILITY

5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.6.6 Consider firewalling GKE worker nodes

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.6.8 Ensure use of Google-managed SSL Certificates

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.7.2 Enable Linux auditd logging

AUDIT AND ACCOUNTABILITY

5.8.3 Manage Kubernetes RBAC users with Google Groups for GKE

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.10.4 Consider GKE Sandbox for running untrusted workloads

SYSTEM AND COMMUNICATIONS PROTECTION

5.10.5 Ensure use of Binary Authorization

CONFIGURATION MANAGEMENT