CIS Google Kubernetes Engine GKE V1.1.0 L1 Master

Details Kubernetes provides the option to use client certificates for user authentication. However as there is no way to revoke...

Details Use namespaces to isolate your Kubernetes objects. Rationale: Limiting the scope of user permissions can reduce the impact of...

Details Enable Cloud Security Command Center (Cloud SCC) to provide a centralized view of security for your GKE clusters. Rationale:...

Details Disable Client Certificates, which require certificate rotation, for authentication. Instead, use another authentication method like OpenID Connect. Rationale: With...

Details Disable Basic Authentication (basic auth) for API server authentication as it uses static passwords which need to be rotated....

Details Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes...

Details Create and use minimally privileged Service accounts to run GKE cluster nodes instead of using the Compute Engine default...

Details Scan images stored in Google Container Registry (GCR) for vulnerabilities. Rationale: Vulnerabilities in software packages can be exploited by...

Details Enable Integrity Monitoring for Shielded GKE Nodes to be notified of inconsistencies during the node boot sequence. Rationale: Integrity...

Details Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customer-managed key in Cloud KMS. Rationale: By default,...