Detections
Analytics

CIS Google Kubernetes Engine (GKE) v1.6.1 L2

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Google Kubernetes Engine (GKE) v1.6.1 L2

Updated: 3/5/2025

Authority: CIS

Plugin: GCP

Revision: 1.1

Estimated Item Count: 30

Audit Items

DescriptionCategories
4.1.8 Avoid bindings to system:anonymous
4.3.2 Ensure that all Namespaces have Network Policies defined
4.4.1 Prefer using secrets as files over secrets as environment variables
4.4.2 Consider external secret storage
4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller
4.6.2 Ensure that the seccomp profile is set to RuntimeDefault in the pod definitions
4.6.3 Apply Security Context to Pods and Containers
4.6.4 The default namespace should not be used
5.1.1 Ensure Image Vulnerability Scanning is enabled
5.1.2 Minimize user access to Container Image repositories
5.1.3 Minimize cluster access to read-only for Container Image repositories
5.1.4 Ensure only trusted container images are used
5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity
5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS
5.4.1 Ensure the GKE Metadata Server is Enabled
5.5.2 Ensure Node Auto-Repair is enabled for GKE nodes
5.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes
5.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled
5.6.1 Enable VPC Flow Logs and Intranode Visibility
5.6.3 Ensure Control Plane Authorized Networks is Enabled
5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
5.6.6 Consider firewalling GKE worker nodes
5.6.7 Ensure use of Google-managed SSL Certificates
5.7.2 Enable Linux auditd logging
5.8.2 Manage Kubernetes RBAC users with Google Groups for GKE
5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD)
5.9.2 Enable Customer-Managed Encryption Keys (CMEK) for Boot Disks
5.10.3 Consider GKE Sandbox for running untrusted workloads
5.10.4 Ensure use of Binary Authorization
5.10.5 Enable Security Posture