CIS Google Kubernetes Engine (GKE) v1.4.0 L1 Node

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.4.0 L1 Node

Updated: 7/25/2023

Authority: CIS

Plugin: Unix

Revision: 1.0

Estimated Item Count: 17

File Details

Filename: CIS_Google_Kubernetes_Engine_GKE_v1.4.0_L1_Node.audit

Size: 102 kB

MD5: c3853a3aa639f344e05aaa41c8d16c3d
SHA256: d41c8ec58872d9b0ff1ed43204a06f915bf4bb4afc90c8a5e2c4495c234ab009

Audit Items

DescriptionCategories
3.1.1 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

3.1.2 Ensure that the proxy kubeconfig file ownership is set to root:root

ACCESS CONTROL, MEDIA PROTECTION

3.1.3 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

3.1.4 Ensure that the kubelet configuration file ownership is set to root:root

ACCESS CONTROL, MEDIA PROTECTION

3.2.1 Ensure that the --anonymous-auth argument is set to false

ACCESS CONTROL

3.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow

ACCESS CONTROL

3.2.3 Ensure that the --client-ca-file argument is set as appropriate

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.4 Ensure that the --read-only-port argument is set to 0

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.6 Ensure that the --make-iptables-util-chains argument is set to true

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.7 Ensure that the --hostname-override argument is not set

CONFIGURATION MANAGEMENT

3.2.8 Ensure that the --eventrecordqps argument is set to 5 or higher or a level which ensures appropriate event capture

AUDIT AND ACCOUNTABILITY

3.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - cert

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.9 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate - key

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.10 Ensure that the --rotate-certificates argument is not set to false

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.11 Ensure that the RotateKubeletServerCertificate argument is set to true

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

CIS_Google_Kubernetes_Engine_GKE_v1.4.0_L1_Node.audit from CIS Google Kubernetes Engine (GKE) Benchmark