| 4.2.6 Minimize the admission of root containers | ACCESS CONTROL |
| 4.2.8 Minimize the admission of containers with capabilities assigned | ACCESS CONTROL |
| 4.3.2 Ensure that all Namespaces have Network Policies defined | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4.1 Prefer using secrets as files over secrets as environment variables | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4.2 Consider external secret storage | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 4.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions | CONFIGURATION MANAGEMENT |
| 4.6.3 Apply Security Context to Your Pods and Containers | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 4.6.4 The default namespace should not be used | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 5.1.4 Minimize Container Registries to only those approved | CONFIGURATION MANAGEMENT |
| 5.4.2 Ensure the GKE Metadata Server is Enabled | CONFIGURATION MANAGEMENT |
| 5.5.1 Ensure Container-Optimized OS (cos_containerd) is used for GKE node images | CONFIGURATION MANAGEMENT |
| 5.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled | CONFIGURATION MANAGEMENT |
| 5.6.1 Enable VPC Flow Logs and Intranode Visibility | AUDIT AND ACCOUNTABILITY |
| 5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.6.6 Consider firewalling GKE worker nodes | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.6.8 Ensure use of Google-managed SSL Certificates | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.2 Enable Linux auditd logging | AUDIT AND ACCOUNTABILITY |
| 5.8.3 Manage Kubernetes RBAC users with Google Groups for GKE | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.10.4 Consider GKE Sandbox for running untrusted workloads | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.10.5 Ensure use of Binary Authorization | CONFIGURATION MANAGEMENT |
