💼 6 Managed services

ID: /frameworks/cis-gke-v1.0.0/06

Description

This section consists of security recommendations for the direct configuration of Kubernetes managed service components, namely, Google Kubernetes Engine (GKE). These recommendations are directly applicable for features which exist only as part of a managed service.

Similar

Sub Sections

Section	Sub Sections	Compliance
💼 6.1 Image Registry and Image Scanning	4	no data
💼 6.1.1 Ensure Image Vulnerability Scanning using GCR Container Analysis or a third-party provider (Scored)		no data
💼 6.1.2 Minimize user access to GCR (Scored)		no data
💼 6.1.3 Minimize cluster access to read-only for GCR (Scored)		no data
💼 6.1.4 Minimize Container Registries to only those approved (Not Scored)		no data
💼 6.2 Identity and Access Management (IAM)	2	no data
💼 6.2.1 Ensure GKE clusters are not running using the Compute Engine default service account (Scored)		no data
💼 6.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity (Not Scored)		no data
💼 6.3 Cloud Key Management Service (Cloud KMS)	1	no data
💼 6.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Scored)		no data
💼 6.4 Node Metadata	2	no data
💼 6.4.1 Ensure legacy Compute Engine instance metadata APIs are Disabled (Scored)		no data
💼 6.4.2 Ensure the GKE Metadata Server is Enabled (Not Scored)		no data
💼 6.5 Node Configuration and Maintenance	7	no data
💼 6.5.1 Ensure Container-Optimized OS (COS) is used for GKE node images (Scored)		no data
💼 6.5.2 Ensure Node Auto-Repair is enabled for GKE nodes (Scored)		no data
💼 6.5.3 Ensure Node Auto-Upgrade is enabled for GKE nodes (Scored)		no data
💼 6.5.4 Automate GKE version management using Release Channels (Not Scored)		no data
💼 6.5.5 Ensure Shielded GKE Nodes are Enabled (Not Scored)		no data
💼 6.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled (Not Scored)		no data
💼 6.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled (Not Scored)		no data
💼 6.6 Cluster Networking	8	no data
💼 6.6.1 Enable VPC Flow Logs and Intranode Visibility (Not Scored)		no data
💼 6.6.2 Ensure use of VPC-native clusters (Scored)		no data
💼 6.6.3 Ensure Master Authorized Networks is Enabled (Scored)		no data
💼 6.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Scored)		no data
💼 6.6.5 Ensure clusters are created with Private Nodes (Scored)		no data
💼 6.6.6 Consider firewalling GKE worker nodes (Not Scored)		no data
💼 6.6.7 Ensure Network Policy is Enabled and set as appropriate (Not Scored)		no data
💼 6.6.8 Ensure use of Google-managed SSL Certificates (Not Scored)		no data
💼 6.7 Logging	2	no data
💼 6.7.1 Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled (Scored)		no data
💼 6.7.2 Enable Linux auditd logging (Not Scored)		no data
💼 6.8 Authentication and Authorization	4	no data
💼 6.8.1 Ensure Basic Authentication using static passwords is Disabled (Scored)		no data
💼 6.8.2 Ensure authentication using Client Certificates is Disabled (Scored)		no data
💼 6.8.3 Manage Kubernetes RBAC users with Google Groups for GKE (Not Scored)		no data
💼 6.8.4 Ensure Legacy Authorization (ABAC) is Disabled (Scored)		no data
💼 6.9 Storage	1	no data
💼 6.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) (Not Scored)		no data
💼 6.10 Other Cluster Configurations	6	no data
💼 6.10.1 Ensure Kubernetes Web UI is Disabled (Scored)		no data
💼 6.10.2 Ensure that Alpha clusters are not used for production workloads (Scored)		no data
💼 6.10.3 Ensure Pod Security Policy is Enabled and set as appropriate (Not Scored)		no data
💼 6.10.4 Consider GKE Sandbox for running untrusted workloads (Not Scored)		no data
💼 6.10.5 Ensure use of Binary Authorization (Scored)		no data
💼 6.10.6 Enable Cloud Security Command Center (Cloud SCC) (Not Scored)		no data

Description​

Similar​

Sub Sections​

Description

Similar

Sub Sections