| 2.1.1 Client certificate authentication should not be used for users | ACCESS CONTROL |
| 4.1.1 Ensure that the cluster-admin role is only used where required | ACCESS CONTROL |
| 4.1.2 Minimize access to secrets | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 4.1.3 Minimize wildcard use in Roles and ClusterRoles | IDENTIFICATION AND AUTHENTICATION |
| 4.1.4 Minimize access to create pods | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 4.1.5 Ensure that default service accounts are not actively used | ACCESS CONTROL |
| 4.1.6 Ensure that Service Account Tokens are only mounted where necessary | CONFIGURATION MANAGEMENT |
| 4.1.7 Avoid use of system:masters group | ACCESS CONTROL |
| 4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster | ACCESS CONTROL |
| 4.1.9 Minimize access to create persistent volumes | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Minimize access to the proxy sub-resource of nodes | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.12 Minimize access to webhook configuration objects | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.13 Minimize access to the service account token creation | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.2.1 Ensure that the cluster enforces Pod Security Standard Baseline profile or stricter for all namespaces. | CONFIGURATION MANAGEMENT |
| 4.3.1 Ensure that the CNI in use supports Network Policies | CONFIGURATION MANAGEMENT |
| 4.6.1 Create administrative boundaries between resources using namespaces | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.1 Ensure Image Vulnerability Scanning is enabled | RISK ASSESSMENT |
| 5.1.2 Minimize user access to Container Image repositories | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.3 Minimize cluster access to read-only for Container Image repositories | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.4 Minimize Container Registries to only those approved | CONFIGURATION MANAGEMENT |
| 5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account | IDENTIFICATION AND AUTHENTICATION |
| 5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity | IDENTIFICATION AND AUTHENTICATION |
| 5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4.1 Ensure legacy Compute Engine instance metadata APIs are Disabled | CONFIGURATION MANAGEMENT |
| 5.4.2 Ensure the GKE Metadata Server is Enabled | CONFIGURATION MANAGEMENT |
| 5.5.2 Ensure Node Auto-Repair is enabled for GKE nodes | RISK ASSESSMENT |
| 5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.5.4 When creating New Clusters - Automate GKE version management using Release Channels | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.5.5 Ensure Shielded GKE Nodes are Enabled | CONFIGURATION MANAGEMENT |
| 5.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled | RISK ASSESSMENT |
| 5.6.2 Ensure use of VPC-native clusters | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.6.3 Ensure Control Plane Authorized Networks is Enabled | ACCESS CONTROL, MEDIA PROTECTION |
| 5.6.5 Ensure clusters are created with Private Nodes | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.6.7 Ensure Network Policy is Enabled and set as appropriate | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.1 Ensure Logging and Cloud Monitoring is Enabled - loggingService | AUDIT AND ACCOUNTABILITY |
| 5.7.1 Ensure Logging and Cloud Monitoring is Enabled - monitoringService | AUDIT AND ACCOUNTABILITY |
| 5.8.1 Ensure authentication using Client Certificates is Disabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.8.3 Ensure Legacy Authorization (ABAC) is Disabled | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.10.1 Ensure Kubernetes Web UI is Disabled | CONFIGURATION MANAGEMENT |
| 5.10.2 Ensure that Alpha clusters are not used for production workloads | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.10.5 Enable Cloud Security Command Center (Cloud SCC) | CONFIGURATION MANAGEMENT |
| 5.10.6 Enable Security Posture | CONFIGURATION MANAGEMENT |
