Detections
Analytics

CIS Google Kubernetes Engine (GKE) v1.5.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.5.0 L1

Updated: 9/17/2024

Authority: CIS

Plugin: GCP

Revision: 1.2

Estimated Item Count: 44

Audit Items

DescriptionCategories
2.1.1 Client certificate authentication should not be used for users
4.1.1 Ensure that the cluster-admin role is only used where required
4.1.2 Minimize access to secrets
4.1.3 Minimize wildcard use in Roles and ClusterRoles
4.1.4 Minimize access to create pods
4.1.5 Ensure that default service accounts are not actively used
4.1.6 Ensure that Service Account Tokens are only mounted where necessary
4.1.7 Avoid use of system:masters group
4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster
4.1.9 Minimize access to create persistent volumes
4.1.10 Minimize access to the proxy sub-resource of nodes
4.1.11 Minimize access to the approval sub-resource of certificatesigningrequests objects
4.1.12 Minimize access to webhook configuration objects
4.1.13 Minimize access to the service account token creation
4.2.1 Ensure that the cluster enforces Pod Security Standard Baseline profile or stricter for all namespaces.
4.3.1 Ensure that the CNI in use supports Network Policies

CONFIGURATION MANAGEMENT

4.6.1 Create administrative boundaries between resources using namespaces
5.1.1 Ensure Image Vulnerability Scanning is enabled
5.1.2 Minimize user access to Container Image repositories
5.1.3 Minimize cluster access to read-only for Container Image repositories
5.1.4 Minimize Container Registries to only those approved
5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account
5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity
5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS
5.4.1 Ensure legacy Compute Engine instance metadata APIs are Disabled
5.4.2 Ensure the GKE Metadata Server is Enabled
5.5.2 Ensure Node Auto-Repair is enabled for GKE nodes
5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes
5.5.4 When creating New Clusters - Automate GKE version management using Release Channels
5.5.5 Ensure Shielded GKE Nodes are Enabled
5.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
5.6.2 Ensure use of VPC-native clusters
5.6.3 Ensure Control Plane Authorized Networks is Enabled
5.6.5 Ensure clusters are created with Private Nodes
5.6.7 Ensure Network Policy is Enabled and set as appropriate
5.7.1 Ensure Logging and Cloud Monitoring is Enabled - loggingService
5.7.1 Ensure Logging and Cloud Monitoring is Enabled - monitoringService
5.8.1 Ensure authentication using Client Certificates is Disabled
5.8.3 Ensure Legacy Authorization (ABAC) is Disabled
5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD)
5.10.1 Ensure Kubernetes Web UI is Disabled
5.10.2 Ensure that Alpha clusters are not used for production workloads
5.10.5 Enable Cloud Security Command Center (Cloud SCC)

CONFIGURATION MANAGEMENT

5.10.6 Enable Security Posture