Detections
Analytics

CIS Google Kubernetes Engine (GKE) v1.6.0 L1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.6.0 L1

Updated: 10/28/2024

Authority: CIS

Plugin: GCP

Revision: 1.1

Estimated Item Count: 25

Audit Items

DescriptionCategories
2.1.1 Client certificate authentication should not be used for users
4.1.1 Ensure that the cluster-admin role is only used where required
4.1.2 Minimize access to secrets
4.1.3 Minimize wildcard use in Roles and ClusterRoles
4.1.4 Ensure that default service accounts are not actively used
4.1.5 Ensure that Service Account Tokens are only mounted where necessary
4.1.6 Avoid use of system:masters group
4.1.7 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster
4.1.9 Avoid non-default bindings to system:unauthenticated
4.1.10 Avoid non-default bindings to system:authenticated
4.2.1 Ensure that the cluster enforces Pod Security Standard Baseline profile or stricter for all namespaces.
4.3.1 Ensure that the CNI in use supports Network Policies
4.6.1 Create administrative boundaries between resources using namespaces
5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account
5.5.1 Ensure Container-Optimized OS (cos_containerd) is used for GKE node images
5.5.4 When creating New Clusters - Automate GKE version management using Release Channels
5.5.5 Ensure Shielded GKE Nodes are Enabled
5.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled
5.6.2 Ensure use of VPC-native clusters
5.6.5 Ensure clusters are created with Private Nodes
5.7.1 Ensure Logging and Cloud Monitoring is Enabled
5.8.1 Ensure authentication using Client Certificates is Disabled
5.8.3 Ensure Legacy Authorization (ABAC) is Disabled
5.10.1 Ensure Kubernetes Web UI is Disabled
5.10.2 Ensure that Alpha clusters are not used for production workloads