| 💼 1 Control Plane Components | 4 | | | | no data |
|  💼 1.1 Master Node Configuration Files | 21 | | | | no data |
|   💼 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Not Scored) | | | | | no data |
|   💼 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Not Scored) | | | | | no data |
|   💼 1.1.13 Ensure that the admin.conf file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 1.1.14 Ensure that the admin.conf file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 1.1.15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 1.1.16 Ensure that the scheduler.conf file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Not Scored) | | | | | no data |
|  💼 1.2 API Server | 35 | | | | no data |
|   💼 1.2.1 Ensure that the --anonymous-auth argument is set to false (Not Scored) | | | | | no data |
|   💼 1.2.2 Ensure that the --basic-auth-file argument is not set (Not Scored) | | | | | no data |
|   💼 1.2.3 Ensure that the --token-auth-file parameter is not set (Not Scored) | | | | | no data |
|   💼 1.2.4 Ensure that the --kubelet-https argument is set to true (Not Scored) | | | | | no data |
|   💼 1.2.5 Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Not Scored) | | | | | no data |
|   💼 1.2.8 Ensure that the --authorization-mode argument includes Node (Not Scored) | | | | | no data |
|   💼 1.2.9 Ensure that the --authorization-mode argument includes RBAC (Not Scored) | | | | | no data |
|   💼 1.2.10 Ensure that the admission control plugin EventRateLimit is set (Not Scored) | | | | | no data |
|   💼 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Not Scored) | | | | | no data |
|   💼 1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Not Scored) | | | | | no data |
|   💼 1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored) | | | | | no data |
|   💼 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Not Scored) | | | | | no data |
|   💼 1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Not Scored) | | | | | no data |
|   💼 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Not Scored) | | | | | no data |
|   💼 1.2.17 Ensure that the admission control plugin NodeRestriction is set (Not Scored) | | | | | no data |
|   💼 1.2.18 Ensure that the --insecure-bind-address argument is not set (Not Scored) | | | | | no data |
|   💼 1.2.19 Ensure that the --insecure-port argument is set to 0 (Not Scored) | | | | | no data |
|   💼 1.2.20 Ensure that the --secure-port argument is not set to 0 (Not Scored) | | | | | no data |
|   💼 1.2.21 Ensure that the --profiling argument is set to false (Not Scored) | | | | | no data |
|   💼 1.2.22 Ensure that the --audit-log-path argument is set (Not Scored) | | | | | no data |
|   💼 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.27 Ensure that the --service-account-lookup argument is set to true (Not Scored) | | | | | no data |
|   💼 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.30 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.31 Ensure that the --client-ca-file argument is set as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.32 Ensure that the --etcd-cafile argument is set as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Not Scored) | | | | | no data |
|   💼 1.2.34 Ensure that encryption providers are appropriately configured (Not Scored) | | | | | no data |
|   💼 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored) | | | | | no data |
|  💼 1.3 Controller Manager | 7 | | | | no data |
|   💼 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Not Scored) | | | | | no data |
|   💼 1.3.2 Ensure that the --profiling argument is set to false (Not Scored) | | | | | no data |
|   💼 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Not Scored) | | | | | no data |
|   💼 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Not Scored) | | | | | no data |
|   💼 1.3.5 Ensure that the --root-ca-file argument is set as appropriate (Not Scored) | | | | | no data |
|   💼 1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to true (Not Scored) | | | | | no data |
|   💼 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Not Scored) | | | | | no data |
|  💼 1.4 Scheduler | 2 | | | | no data |
|   💼 1.4.1 Ensure that the --profiling argument is set to false (Not Scored) | | | | | no data |
|   💼 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Not Scored) | | | | | no data |
| 💼 2 etcd | 7 | | | | no data |
|  💼 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Not Scored) | | | | | no data |
|  💼 2.2 Ensure that the --client-cert-auth argument is set to true (Not Scored) | | | | | no data |
|  💼 2.3 Ensure that the --auto-tls argument is not set to true (Not Scored) | | | | | no data |
|  💼 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Not Scored) | | | | | no data |
|  💼 2.5 Ensure that the --peer-client-cert-auth argument is set to true (Not Scored) | | | | | no data |
|  💼 2.6 Ensure that the --peer-auto-tls argument is not set to true (Not Scored) | | | | | no data |
|  💼 2.7 Ensure that a unique Certificate Authority is used for etcd (Not Scored) | | | | | no data |
| 💼 3 Control Plane Configuration | 2 | | | | no data |
|  💼 3.1 Authentication and Authorization | 1 | | | | no data |
|   💼 3.1.1 Client certificate authentication should not be used for users (Not Scored) | | | | | no data |
|  💼 3.2 Logging | 2 | | | | no data |
|   💼 3.2.1 Ensure that a minimal audit policy is created (Not Scored) | | | | | no data |
|   💼 3.2.2 Ensure that the audit policy covers key security concerns (Not Scored) | | | | | no data |
| 💼 4 Worker Nodes | 2 | | | | no data |
|  💼 4.1 Worker Node Configuration Files | 10 | | | | no data |
|   💼 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 4.1.3 Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Scored) | | | | | no data |
|   💼 4.1.4 Ensure that the proxy kubeconfig file ownership is set to root:root (Scored) | | | | | no data |
|   💼 4.1.5 Ensure that the kubelet.conf file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 4.1.6 Ensure that the kubelet.conf file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 4.1.7 Ensure that the certificate authorities file permissions are set to 644 or more restrictive (Not Scored) | | | | | no data |
|   💼 4.1.8 Ensure that the client certificate authorities file ownership is set to root:root (Not Scored) | | | | | no data |
|   💼 4.1.9 Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Scored) | | | | | no data |
|   💼 4.1.10 Ensure that the kubelet configuration file ownership is set to root:root (Scored) | | | | | no data |
|  💼 4.2 Kubelet | 13 | | | | no data |
|   💼 4.2.1 Ensure that the --anonymous-auth argument is set to false (Scored) | | | | | no data |
|   💼 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) | | | | | no data |
|   💼 4.2.3 Ensure that the --client-ca-file argument is set as appropriate (Scored) | | | | | no data |
|   💼 4.2.4 Ensure that the --read-only-port argument is set to 0 (Scored) | | | | | no data |
|   💼 4.2.5 Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) | | | | | no data |
|   💼 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored) | | | | | no data |
|   💼 4.2.7 Ensure that the --make-iptables-util-chains argument is set to true (Scored) | | | | | no data |
|   💼 4.2.8 Ensure that the --hostname-override argument is not set (Scored) | | | | | no data |
|   💼 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Scored) | | | | | no data |
|   💼 4.2.10 Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Scored) | | | | | no data |
|   💼 4.2.11 Ensure that the --rotate-certificates argument is not set to false (Scored) | | | | | no data |
|   💼 4.2.12 Ensure that the RotateKubeletServerCertificate argument is set to true (Scored) | | | | | no data |
|   💼 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Not Scored) | | | | | no data |
| 💼 5 Policies | 6 | | | | no data |
|  💼 5.1 RBAC and Service Accounts | 6 | | | | no data |
|   💼 5.1.1 Ensure that the cluster-admin role is only used where required (Not Scored) | | | | | no data |
|   💼 5.1.2 Minimize access to secrets (Not Scored) | | | | | no data |
|   💼 5.1.3 Minimize wildcard use in Roles and ClusterRoles (Not Scored) | | | | | no data |
|   💼 5.1.4 Minimize access to create pods (Not Scored) | | | | | no data |
|   💼 5.1.5 Ensure that default service accounts are not actively used. (Scored) | | | | | no data |
|   💼 5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Not Scored) | | | | | no data |
|  💼 5.2 Pod Security Policies | 9 | | | | no data |
|   💼 5.2.1 Minimize the admission of privileged containers (Scored) | | | | | no data |
|   💼 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Scored) | | | | | no data |
|   💼 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Scored) | | | | | no data |
|   💼 5.2.4 Minimize the admission of containers wishing to share the host network namespace (Scored) | | | | | no data |
|   💼 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Scored) | | | | | no data |
|   💼 5.2.6 Minimize the admission of root containers (Scored) | | | | | no data |
|   💼 5.2.7 Minimize the admission of containers with the NET_RAW capability (Scored) | | | | | no data |
|   💼 5.2.8 Minimize the admission of containers with added capabilities (Scored) | | | | | no data |
|   💼 5.2.9 Minimize the admission of containers with capabilities assigned (Scored) | | | | | no data |
|  💼 5.3 Network Policies and CNI | 2 | | | | no data |
|   💼 5.3.1 Ensure that the CNI in use supports Network Policies (Not Scored) | | | | | no data |
|   💼 5.3.2 Ensure that all Namespaces have Network Policies defined (Scored) | | | | | no data |
|  💼 5.4 Secrets Management | 2 | | | | no data |
|   💼 5.4.1 Prefer using secrets as files over secrets as environment variables (Not Scored) | | | | | no data |
|   💼 5.4.2 Consider external secret storage (Not Scored) | | | | | no data |
|  💼 5.5 Extensible Admission Control | 1 | | | | no data |
|   💼 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored) | | | | | no data |
|  💼 5.6 General Policies | 4 | | | | no data |
|   💼 5.6.1 Create administrative boundaries between resources using namespaces (Not Scored) | | | | | no data |
|   💼 5.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored) | | | | | no data |
|   💼 5.6.3 Apply Security Context to Your Pods and Containers (Not Scored) | | | | | no data |
|   💼 5.6.4 The default namespace should not be used (Scored) | | | | | no data |
| 💼 6 Managed services | 10 | | | | no data |
|  💼 6.1 Image Registry and Image Scanning | 4 | | | | no data |
|   💼 6.1.1 Ensure Image Vulnerability Scanning using GCR Container Analysis or a third-party provider (Scored) | | | | | no data |
|   💼 6.1.2 Minimize user access to GCR (Scored) | | | | | no data |
|   💼 6.1.3 Minimize cluster access to read-only for GCR (Scored) | | | | | no data |
|   💼 6.1.4 Minimize Container Registries to only those approved (Not Scored) | | | | | no data |
|  💼 6.2 Identity and Access Management (IAM) | 2 | | | | no data |
|   💼 6.2.1 Ensure GKE clusters are not running using the Compute Engine default service account (Scored) | | | | | no data |
|   💼 6.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity (Not Scored) | | | | | no data |
|  💼 6.3 Cloud Key Management Service (Cloud KMS) | 1 | | | | no data |
|   💼 6.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Scored) | | | | | no data |
|  💼 6.4 Node Metadata | 2 | | | | no data |
|   💼 6.4.1 Ensure legacy Compute Engine instance metadata APIs are Disabled (Scored) | | | | | no data |
|   💼 6.4.2 Ensure the GKE Metadata Server is Enabled (Not Scored) | | | | | no data |
|  💼 6.5 Node Configuration and Maintenance | 7 | | | | no data |
|   💼 6.5.1 Ensure Container-Optimized OS (COS) is used for GKE node images (Scored) | | | | | no data |
|   💼 6.5.2 Ensure Node Auto-Repair is enabled for GKE nodes (Scored) | | | | | no data |
|   💼 6.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes (Scored) | | | | | no data |
|   💼 6.5.4 Automate GKE version management using Release Channels (Not Scored) | | | | | no data |
|   💼 6.5.5 Ensure Shielded GKE Nodes are Enabled (Not Scored) | | | | | no data |
|   💼 6.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled (Not Scored) | | | | | no data |
|   💼 6.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled (Not Scored) | | | | | no data |
|  💼 6.6 Cluster Networking | 8 | | | | no data |
|   💼 6.6.1 Enable VPC Flow Logs and Intranode Visibility (Not Scored) | | | | | no data |
|   💼 6.6.2 Ensure use of VPC-native clusters (Scored) | | | | | no data |
|   💼 6.6.3 Ensure Master Authorized Networks is Enabled (Scored) | | | | | no data |
|   💼 6.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Scored) | | | | | no data |
|   💼 6.6.5 Ensure clusters are created with Private Nodes (Scored) | | | | | no data |
|   💼 6.6.6 Consider firewalling GKE worker nodes (Not Scored) | | | | | no data |
|   💼 6.6.7 Ensure Network Policy is Enabled and set as appropriate (Not Scored) | | | | | no data |
|   💼 6.6.8 Ensure use of Google-managed SSL Certificates (Not Scored) | | | | | no data |
|  💼 6.7 Logging | 2 | | | | no data |
|   💼 6.7.1 Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled (Scored) | | | | | no data |
|   💼 6.7.2 Enable Linux auditd logging (Not Scored) | | | | | no data |
|  💼 6.8 Authentication and Authorization | 4 | | | | no data |
|   💼 6.8.1 Ensure Basic Authentication using static passwords is Disabled (Scored) | | | | | no data |
|   💼 6.8.2 Ensure authentication using Client Certificates is Disabled (Scored) | | | | | no data |
|   💼 6.8.3 Manage Kubernetes RBAC users with Google Groups for GKE (Not Scored) | | | | | no data |
|   💼 6.8.4 Ensure Legacy Authorization (ABAC) is Disabled (Scored) | | | | | no data |
|  💼 6.9 Storage | 1 | | | | no data |
|   💼 6.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) (Not Scored) | | | | | no data |
|  💼 6.10 Other Cluster Configurations | 6 | | | | no data |
|   💼 6.10.1 Ensure Kubernetes Web UI is Disabled (Scored) | | | | | no data |
|   💼 6.10.2 Ensure that Alpha clusters are not used for production workloads (Scored) | | | | | no data |
|   💼 6.10.3 Ensure Pod Security Policy is Enabled and set as appropriate (Not Scored) | | | | | no data |
|   💼 6.10.4 Consider GKE Sandbox for running untrusted workloads (Not Scored) | | | | | no data |
|   💼 6.10.5 Ensure use of Binary Authorization (Scored) | | | | | no data |
|   💼 6.10.6 Enable Cloud Security Command Center (Cloud SCC) (Not Scored) | | | | | no data |