CIS GKE 1.4.0 | Lacework Documentation

📄️ 2.1.1

Do not use client certificate authentication for users (Manual)

📄️ 2.2.1

Create a minimal audit policy (Manual)

📄️ 2.2.2

Ensure that the audit policy covers key security concerns (Manual)

📄️ 3.1.1

Set the proxy kubeconfig file permissions to 644 or more restrictive (Automated)

📄️ 3.1.2

Set the proxy kubeconfig file ownership to root:root (Automated)

📄️ 3.1.3

Ensure that the kubelet configuration file has permissions set to 644 or more restrictive (Automated)

📄️ 3.1.4

Set the kubelet configuration file ownership to root:root (Automated)

📄️ 3.2.1

Set the --anonymous-auth argument to false (Automated)

📄️ 3.2.2

Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)

📄️ 3.2.3

Set the --client-ca-file argument as appropriate (Automated)

📄️ 3.2.4

Set the --read-only-port argument to 0 (Automated)

📄️ 3.2.5

Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)

📄️ 3.2.6

Set the --make-iptables-util-chains argument to true (Automated)

📄️ 3.2.7

Ensure that the --hostname-override argument is not set (Automated)

📄️ 3.2.8

Set the --eventrecordqps argument to 5 or higher to ensure appropriate event capture (Automated)

📄️ 3.2.9

Set the --tls-cert-file and --tls-private-key-file arguments as appropriate (Automated)

📄️ 3.2.10

Ensure that the --rotate-certificates argument is not set to false (Automated)

📄️ 3.2.11

Set the RotateKubeletServerCertificate argument to true (Automated)

📄️ 4.1.1

Ensure that the cluster-admin role is only used where required (Automated)

📄️ 4.1.2

Minimize access to secrets (Automated)

📄️ 4.1.3

Minimize wildcard use in Roles (Automated)

📄️ 4.1.3

Minimize wildcard use in ClusterRoles (Automated)

📄️ 4.1.4

Minimize access to create pods in Roles (Automated)

📄️ 4.1.4

Minimize access to create pods in ClusterRoles (Automated)

📄️ 4.1.5

Ensure that default service accounts are not actively used in Roles (Automated)

📄️ 4.1.5

Ensure that default service accounts are not actively used in ClusterRoles (Automated)

📄️ 4.1.6

Ensure that Service Account Tokens are only mounted where necessary (Automated)

📄️ 4.1.6

Ensure that default service accounts are not automatically mounting their Kubernetes API access token (Automated)

📄️ 4.2.1

Minimize the admission of privileged containers (Automated)

📄️ 4.2.2

Minimize the admission of containers wishing to share the host process ID namespace (Automated)

📄️ 4.2.3

Minimize the admission of containers wishing to share the host Inter-Process Communication (IPC) namespace (Automated)

📄️ 4.2.4

Minimize the admission of containers wishing to share the host network namespace (Automated)

📄️ 4.2.5

Minimize the admission of containers with allowPrivilegeEscalation (Automated)

📄️ 4.2.6

Minimize the admission of root containers (Automated)

📄️ 4.2.7

Minimize the admission of containers with added capabilities (Automated)

📄️ 4.2.8

Minimize the admission of containers with capabilities assigned (Manual)

📄️ 4.3.1

Ensure that the Container Network Interface (CNI) in use supports Network Policies (Manual)

📄️ 4.3.2

Ensure that all Namespaces have Network Policies defined (Manual)

📄️ 4.4.1

Prefer using secrets as files over secrets as environment variables (Manual)

📄️ 4.4.2

Consider external secret storage (Manual)

📄️ 4.5.1

Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)

📄️ 4.6.1

Create administrative boundaries between resources using namespaces (Manual)

📄️ 4.6.2

Set the seccomp profile to docker/default in the pod definitions (Manual)

📄️ 4.6.3

Apply Security Context to Pods and Containers (Manual)

📄️ 4.6.4

Do not use the default namespace (Manual)

📄️ 5.1.1

Ensure Image Vulnerability Scanning using Google Container Registry (GCR) Container Analysis or a third party provider (Manual)

📄️ 5.1.2

Minimize user access to Google Container Registry (GCR) (Manual)

📄️ 5.1.3

Minimize cluster access to read-only for Google Container Registry (GCR) (Manual)

📄️ 5.1.4

Minimize Container Registries to only those approved (Automated)

📄️ 5.2.1

Ensure Google Kubernetes Engine (GKE) clusters are not running using the Compute Engine default service account (Automated)

📄️ 5.2.2

Prefer using dedicated GCP Service Accounts and Workload Identity (Automated)

📄️ 5.3.1

Encrypt Kubernetes Secrets using keys managed in Cloud Key Management Service (KMS) (Automated)

📄️ 5.4.1

Disable legacy Compute Engine instance metadata APIs (Automated)

📄️ 5.4.2

Enable the Google Kubernetes Engine (GKE) Metadata Server (Automated)

📄️ 5.5.1

Use Container-Optimized OS (cos_containerd) for Google Kubernetes Engine (GKE) node images (Automated)

📄️ 5.5.2

Enable Node Auto-Repair for Google Kubernetes Engine (GKE) nodes (Automated)

📄️ 5.5.3

Enable Node Auto-Upgrade for Google Kubernetes Engine (GKE) nodes (Automated)

📄️ 5.5.4

When creating New Clusters - Automate Google Kubernetes Engine (GKE) version management using Release Channels (Automated)

📄️ 5.5.5

Enable Shielded Google Kubernetes Engine (GKE) Nodes (Automated)

📄️ 5.5.6

Enable Integrity Monitoring for Shielded Google Kubernetes Engine (GKE) Nodes (Automated)

📄️ 5.5.7

Enable Secure Boot for Shielded Google Kubernetes Engine (GKE) Nodes (Automated)

📄️ 5.6.1

Enable Virtual Private Cloud (VPC) Flow Logs and Intranode Visibility (Automated)

📄️ 5.6.2

Ensure use of Virtual Private Cloud (VPC) native clusters (Automated)

📄️ 5.6.3

Enable Control Plane Authorized Networks (Automated)

📄️ 5.6.4

Create clusters with Private Endpoint Enabled and Public Access Disabled (Automated)

📄️ 5.6.5

Create clusters with Private Nodes (Automated)

📄️ 5.6.6

Consider firewalling Google Kubernetes Engine (GKE) worker nodes (Manual)

📄️ 5.6.7

Enable Network Policy and set as appropriate (Automated)

📄️ 5.6.8

Ensure use of Google-managed SSL Certificates (Manual)

📄️ 5.7.1

Enable Logging and Cloud Monitoring (Automated)

📄️ 5.7.2

Enable Linux auditd logging (Manual)

📄️ 5.8.1

Disable Basic Authentication using static passwords (Automated)

📄️ 5.8.2

Disable authentication using Client Certificates (Automated)

📄️ 5.8.3

Manage Kubernetes Role-Based Access Control (RBAC) users with Google Groups for Google Kubernetes Engine (GKE) (Manual)

📄️ 5.8.4

Disable Legacy Attribute-Based Access Control (ABAC) (Automated)

📄️ 5.9.1

Enable Customer-Managed Encryption Keys (CMEK) for Google Kubernetes Engine (GKE) Persistent Disks (PD) (Automated)

📄️ 5.10.1

Disable Kubernetes Web UI (Automated)

📄️ 5.10.2

Ensure that Alpha clusters are not used for production workloads (Automated)

📄️ 5.10.3

Enable Pod Security Policy and set as appropriate (Manual)

📄️ 5.10.4

Consider Google Kubernetes Engine (GKE) Sandbox for running untrusted workloads (Automated)

📄️ 5.10.5

Ensure use of Binary Authorization (Automated)

📄️ 5.10.6

Enable Cloud Security Command Center (SCC) (Manual)