CIS Google Kubernetes Engine (GKE) v1.4.0 L2

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.4.0 L2

Updated: 7/25/2023

Authority: CIS

Plugin: GCP

Revision: 1.0

Estimated Item Count: 21

File Details

Filename: CIS_Google_Kubernetes_Engine_GKE_v1.4.0_L2.audit

Size: 56.3 kB

MD5: f4b11eba5978b80076ed76db2beb4d48
SHA256: 10a2156691b7c4b61d552c2b9587c74b37846257854284b055cb90be38b142b1

Audit Items

DescriptionCategories
4.2.6 Minimize the admission of root containers

ACCESS CONTROL

4.2.8 Minimize the admission of containers with capabilities assigned

ACCESS CONTROL

4.3.2 Ensure that all Namespaces have Network Policies defined

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.4.1 Prefer using secrets as files over secrets as environment variables

SYSTEM AND COMMUNICATIONS PROTECTION

4.4.2 Consider external secret storage

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller

CONFIGURATION MANAGEMENT, MAINTENANCE

4.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions

CONFIGURATION MANAGEMENT

4.6.3 Apply Security Context to Your Pods and Containers

CONFIGURATION MANAGEMENT, MAINTENANCE

4.6.4 The default namespace should not be used

CONFIGURATION MANAGEMENT, MAINTENANCE

5.1.4 Minimize Container Registries to only those approved

CONFIGURATION MANAGEMENT

5.4.2 Ensure the GKE Metadata Server is Enabled

CONFIGURATION MANAGEMENT

5.5.1 Ensure Container-Optimized OS (cos_containerd) is used for GKE node images

CONFIGURATION MANAGEMENT

5.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled

CONFIGURATION MANAGEMENT

5.6.1 Enable VPC Flow Logs and Intranode Visibility

AUDIT AND ACCOUNTABILITY

5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.6.6 Consider firewalling GKE worker nodes

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.6.8 Ensure use of Google-managed SSL Certificates

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.7.2 Enable Linux auditd logging

AUDIT AND ACCOUNTABILITY

5.8.3 Manage Kubernetes RBAC users with Google Groups for GKE

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

5.10.4 Consider GKE Sandbox for running untrusted workloads

SYSTEM AND COMMUNICATIONS PROTECTION

5.10.5 Ensure use of Binary Authorization

CONFIGURATION MANAGEMENT