| 4.3.2 Ensure that all Namespaces have Network Policies defined | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4.1 Prefer using secrets as files over secrets as environment variables | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4.2 Consider external secret storage | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 4.6.2 Ensure that the seccomp profile is set to RuntimeDefault in the pod definitions | CONFIGURATION MANAGEMENT |
| 4.6.3 Apply Security Context to Pods and Containers | CONFIGURATION MANAGEMENT |
| 4.6.4 The default namespace should not be used | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.5.1 Ensure Container-Optimized OS (cos_containerd) is used for GKE node images | CONFIGURATION MANAGEMENT |
| 5.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled | RISK ASSESSMENT |
| 5.6.1 Enable VPC Flow Logs and Intranode Visibility | AUDIT AND ACCOUNTABILITY |
| 5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.6.6 Consider firewalling GKE worker nodes | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.6.8 Ensure use of Google-managed SSL Certificates | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.2 Enable Linux auditd logging | AUDIT AND ACCOUNTABILITY |
| 5.8.2 Manage Kubernetes RBAC users with Google Groups for GKE | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.10.3 Consider GKE Sandbox for running untrusted workloads | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.10.4 Ensure use of Binary Authorization | CONFIGURATION MANAGEMENT |
