💼 CIS GKE v1.8.0

• ID: /frameworks/cis-gke-v1.8.0

Description

Empty...

Similar

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 3 Worker Nodes	1				no data
💼 3.1 Worker Node Configuration Files	4				no data
💼 3.1.1 Ensure that the kubeconfig file permissions are set to 644 or more restrictive (Automated)					no data
💼 3.1.2 Ensure that the kubelet kubeconfig file ownership is set to root:root (Automated)					no data
💼 3.1.3 Ensure that the kubelet configuration file has permissions set to 644 (Automated)					no data
💼 3.1.4 Ensure that the kubelet configuration file ownership is set to root:root (Automated)					no data
💼 4 Policies	6				no data
💼 4.1 RBAC and Service Accounts	10				no data
💼 4.1.1 Ensure that the cluster-admin role is only used where required (Automated)					no data
💼 4.1.2 Minimize access to secrets (Automated)					no data
💼 4.1.3 Minimize wildcard use in Roles and ClusterRoles (Automated)					no data
💼 4.1.4 Ensure that default service accounts are not actively used (Automated)					no data
💼 4.1.5 Ensure that Service Account Tokens are only mounted where necessary (Automated)					no data
💼 4.1.6 Avoid use of system:masters group (Automated)					no data
💼 4.1.7 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster (Manual)					no data
💼 4.1.8 Avoid bindings to system:anonymous (Automated)					no data
💼 4.1.9 Avoid non-default bindings to system:unauthenticated (Automated)					no data
💼 4.1.10 Avoid non-default bindings to system:authenticated (Automated)					no data
💼 4.2 Pod Security Standards	1				no data
💼 4.2.1 Ensure that the cluster enforces Pod Security Standard Baseline profile or stricter for all namespaces. (Manual)					no data
💼 4.3 Network Policies and CNI	2				no data
💼 4.3.1 Ensure that the CNI in use supports Network Policies (Manual)					no data
💼 4.3.2 Ensure that all Namespaces have Network Policies defined (Automated)					no data
💼 4.4 Secrets Management	2				no data
💼 4.4.1 Prefer using secrets as files over secrets as environment variables (Automated)					no data
💼 4.4.2 Consider external secret storage (Manual)					no data
💼 4.5 Extensible Admission Control	1				no data
💼 4.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)					no data
💼 4.6 General Policies	4				no data
💼 4.6.1 Create administrative boundaries between resources using namespaces (Manual)					no data
💼 4.6.2 Ensure that the seccomp profile is set to RuntimeDefault in the pod definitions (Automated)					no data
💼 4.6.3 Apply Security Context to Pods and Containers (Manual)					no data
💼 4.6.4 The default namespace should not be used (Automated)					no data
💼 5 Managed services	10		8		no data
💼 5.1 Image Registry and Image Scanning	4				no data
💼 5.1.1 Ensure Image Vulnerability Scanning is enabled (Automated)					no data
💼 5.1.2 Minimize user access to Container Image repositories (Manual)					no data
💼 5.1.3 Minimize cluster access to read-only for Container Image repositories (Manual)					no data
💼 5.1.4 Ensure only trusted container images are used (Manual)					no data
💼 5.2 Identity and Access Management (IAM)	2		1		no data
💼 5.2.1 Ensure GKE clusters are not running using the Compute Engine default service account (Automated)			1		no data
💼 5.2.2 Prefer using dedicated GCP Service Accounts and Workload Identity (Manual)					no data
💼 5.3 Cloud Key Management Service (Cloud KMS)	1				no data
💼 5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Automated)					no data
💼 5.4 Node Metadata	1				no data
💼 5.4.1 Ensure the GKE Metadata Server is Enabled (Automated)					no data
💼 5.5 Node Configuration and Maintenance	7		2		no data
💼 5.5.1 Ensure Container-Optimized OS (cos_containerd) is used for GKE Node images (Automated)					no data
💼 5.5.2 Ensure Node Auto-Repair is Enabled for GKE Nodes (Automated)			1		no data
💼 5.5.3 Ensure Node Auto-Upgrade is Enabled for GKE Nodes (Automated)			1		no data
💼 5.5.4 When creating New Clusters - Automate GKE version management using Release Channels (Automated)					no data
💼 5.5.5 Ensure Shielded GKE Nodes are Enabled (Automated)					no data
💼 5.5.6 Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled (Automated)					no data
💼 5.5.7 Ensure Secure Boot for Shielded GKE Nodes is Enabled (Automated)					no data
💼 5.6 Cluster Networking	7		2		no data
💼 5.6.1 Enable VPC Flow Logs and Intranode Visibility (Automated)					no data
💼 5.6.2 Ensure use of VPC-native clusters (Automated)			1		no data
💼 5.6.3 Ensure Control Plane Authorized Networks is Enabled (Automated)			1		no data
💼 5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)					no data
💼 5.6.5 Ensure clusters are created with Private Nodes (Automated)					no data
💼 5.6.6 Consider firewalling GKE worker nodes (Manual)					no data
💼 5.6.7 Ensure use of Google-managed SSL Certificates (Automated)					no data
💼 5.7 Logging	2		2		no data
💼 5.7.1 Ensure Logging and Cloud Monitoring is Enabled (Automated)			2		no data
💼 5.7.2 Enable Linux auditd logging (Manual)					no data
💼 5.8 Authentication and Authorization	3				no data
💼 5.8.1 Ensure authentication using Client Certificates is Disabled (Automated)					no data
💼 5.8.2 Manage Kubernetes RBAC users with Google Groups for GKE (Manual)					no data
💼 5.8.3 Ensure Legacy Authorization (ABAC) is Disabled (Automated)					no data
💼 5.9 Storage	2				no data
💼 5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) (Manual)					no data
💼 5.9.2 Enable Customer-Managed Encryption Keys (CMEK) for Boot Disks (Automated)					no data
💼 5.10 Other Cluster Configurations	4		1		no data
💼 5.10.1 Ensure Kubernetes Web UI is Disabled (Automated)					no data
💼 5.10.2 Ensure that Alpha clusters are not used for production workloads (Automated)			1		no data
💼 5.10.3 Consider GKE Sandbox for running untrusted workloads (Automated)					no data
💼 5.10.4 Enable Security Posture (Manual)					no data