Related information
- 3.1.1- Ensure that the proxy kubeconfig file permissions are set to 644 or more restrictive (Automated)
- 3.1.2 - Ensure that the proxy kubeconfig file ownership is set to root:root (Automated)
- 3.1.3 - Ensure that the kubelet configuration file has permissions set to 644 (Automated)
- 3.1.4 - Ensure that the kubelet configuration file ownership is set to - root:root (Automated)
- 3.2.1 - Ensure that the Anonymous Auth is Not Enabled Draft (Automated)
- 3.2.2 - Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated)
- 3.2.3 - Ensure that a Client CA File is Configured (Automated)
- 3.2.4 - Ensure that the --read-only-port is disabled (Automated)
- 3.2.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automated)
- 3.2.6 - Ensure that the --make-iptables-util-chains argument is set to true (Automated)
- 3.2.7 - Ensure that the --eventRecordQPS argument is set to 0 or a level which ensures appropriate event capture (Automated)
- 3.2.8 - Ensure that the --rotate-certificates argument is not present or is set to true (Automated)
- 3.2.9 - Ensure that the RotateKubeletServerCertificate argument is set to true (Automated)
- 4.1.1 - Ensure that the cluster-admin role is only used where required (Automated)
- 4.1.2 - Minimize access to secrets (Automated)
- 4.1.3 - Minimize wildcard use in Roles and ClusterRoles (Automated)
- 4.1.4 - Ensure that default service accounts are not actively used (Automated)
- 4.1.5 - Ensure that Service Account Tokens are only mounted where necessary (Automated)
- 4.1.6 - Avoid use of system:masters group (Automated)
- 4.1.8 - Avoid bindings to system:anonymous (Automated)
- 4.1.9 - Avoid non-default bindings to system:unauthenticated (Automated)
- 4.1.10 - Avoid non-default bindings to system:authenticated (Automated)
- 4.3.2 - Ensure that all Namespaces have Network Policies defined (Automated)
- 4.4.1 - Prefer using secrets as files over secrets as environment variables (Automated)
- 4.6.2 - Ensure that the seccomp profile is set to RuntimeDefault in the pod definitions (Automated)
- 4.6.4 - The default namespace should not be used (Automated)
- 5.1.1 - Ensure Image Vulnerability Scanning is enabled (Automated)
- 5.2.1 - Ensure GKE clusters are not running using the Compute Engine default service account (Automated)
- 5.3.1 - Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS (Automated)
- 5.4.1 - Ensure the GKE Metadata Server is Enabled (Automated)
- 5.5.1 - Ensure Container-Optimized OS (cos_containerd) is used for GKE node images (Automated)
- 5.5.2 - Ensure Node Auto-Repair is enabled for GKE nodes (Automated)
- 5.5.3 - Ensure Node Auto-Upgrade is enabled for GKE nodes (Automated)
- 5.5.4 - When creating New Clusters - Automate GKE version management using Release Channels (Automated)
- 5.5.5 - Ensure Shielded GKE Nodes are Enabled (Automated)
- 5.5.6 - Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled (Automated)
- 5.5.7 - Ensure Secure Boot for Shielded GKE Nodes is Enabled (Automated)
- 5.6.1 - Enable VPC Flow Logs and Intranode Visibility (Automated)
- 5.6.2 - Ensure use of VPC-native clusters (Automated)
- 5.6.3 - Ensure Control Plane Authorized Networks is Enabled (Automated)
- 5.6.4 - Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Automated)
- 5.6.5 - Ensure clusters are created with Private Nodes (Automated)
- 5.6.7 - Ensure use of Google-managed SSL Certificates (Automated)
- 5.7.1 - Ensure Logging and Cloud Monitoring is Enabled (Automated)
- 5.8.3 - Ensure Legacy Authorization (ABAC) is Disabled (Automated)
- 5.9.2 - Enable Customer-Managed Encryption Keys (CMEK) for Boot Disks (Automated)
- 5.10.2 - Ensure that Alpha clusters are not used for production workloads (Automated)
- 5.10.3 - Consider GKE Sandbox for running untrusted workloads (Automated)
- 5.10.4 - Ensure use of Binary Authorization (Automated)