CIS Google Kubernetes Engine (GKE) Autopilot Benchmark v1.0.0 PDF
CIS Google Kubernetes Engine (GKE) Autopilot Benchmark v1.0.0 PDF
CIS Google Kubernetes Engine (GKE) Autopilot Benchmark v1.0.0 PDF
Page 1
Page 2
Page 3
Page 4
In the end, the CIS Benchmarks are designed as a key component of a comprehensive
cybersecurity program.
This document provides prescriptive guidance for running Google Kubernetes Engine
(GKE) AutoPilot following recommended security controls. This benchmark only
includes controls which can be modified by an end user of GKE AutoPilot.
To obtain the latest version of this guide, please visit www.cisecurity.org. If you have
questions, comments, or have identified ways to improve this guide, please write us at
[email protected].
Intended Audience
This document is intended for cluster administrators, security specialists, auditors, and
any personnel who plan to develop, deploy, assess, or secure solutions that incorporate
Google Kubernetes Engine (GKE) AutoPilot.
Relevant links
• GKE Shared Responsibility Model
• GKE Control Plane Security
• GKE AutoPilot Security Capabilities
• GKE AutoPilot vs Standard Security Feature Comparison
Page 5
Page 6
Convention Meaning
Page 7
Title
Concise description for the recommendation's intended configuration.
Assessment Status
An assessment status is included for every recommendation. The assessment status
indicates whether the given recommendation can be automated or requires manual
steps to implement. Both statuses are equally important and are determined and
supported as defined below:
Automated
Represents recommendations for which assessment of a technical control can be fully
automated and validated to a pass/fail state. Recommendations will include the
necessary information to implement automation.
Manual
Represents recommendations for which assessment of a technical control cannot be
fully automated and requires all or some manual steps to validate that the configured
state is set as expected. The expected state can vary depending on the environment.
Profile
A collection of recommendations for securing a technology or a supporting platform.
Most benchmarks include at least a Level 1 and Level 2 Profile. Level 2 extends Level 1
recommendations and is not a standalone profile. The Profile Definitions section in the
benchmark provides the definitions as they pertain to the recommendations included for
the technology.
Description
Detailed information pertaining to the setting with which the recommendation is
concerned. In some cases, the description will include the recommended value.
Rationale Statement
Detailed reasoning for the recommendation to provide the user a clear and concise
understanding on the importance of the recommendation.
Page 8
Audit Procedure
Systematic instructions for determining if the target system complies with the
recommendation.
Remediation Procedure
Systematic instructions for applying recommendations to the target system to bring it
into compliance according to the recommendation.
Default Value
Default value for the given setting in this recommendation, if known. If not known, either
not configured or not defined will be applied.
References
Additional documentation relative to the recommendation.
Additional Information
Supplementary information that does not correspond to any other field but may be
useful to the user.
Page 9
• Level 1
• Level 2
Extends Level 1
Page 10
Authors
Randall Mowen
Andrew Peabody
Key Contributors
Poonam Lamba
Shannon Kularathna
Mark Larinde
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 18
• Level 1
Description:
The RBAC role cluster-admin provides wide-ranging powers over the environment
and should be used only where and when needed.
Rationale:
Kubernetes provides a set of default roles where RBAC is used. Some of these roles
such as cluster-admin provide wide-ranging privileges which should only be applied
where absolutely necessary. Roles such as cluster-admin allow super-user access to
perform any action on any resource. When used in a ClusterRoleBinding, it gives full
control over every resource in the cluster and in all namespaces. When used in a
RoleBinding, it gives full control over every resource in the rolebinding's namespace,
including the namespace itself.
Impact:
Audit:
Obtain a list of the principals who have access to the cluster-admin role by reviewing
the clusterrolebinding output for each role binding that has access to the cluster-
admin role.
kubectl get clusterrolebindings -o=custom-
columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].name
Review each principal listed and ensure that cluster-admin privilege is required for it.
Remediation:
Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if
they need this role or if they could use a role with fewer privileges.
Where possible, first bind users to a lower-privileged role and then remove the
clusterrolebinding to the cluster-admin role :
Page 19
Default Value:
References:
1. https://kubernetes.io/docs/concepts/cluster-administration/
2. https://kubernetes.io/docs/reference/access-authn-authz/rbac/
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 20
• Level 1
Description:
The Kubernetes API stores secrets, which may be service account tokens for the
Kubernetes API or credentials used by workloads in the cluster. Access to these secrets
should be restricted to the smallest possible group of users to reduce the risk of
privilege escalation.
Rationale:
Inappropriate access to secrets stored within the Kubernetes cluster can allow for an
attacker to gain additional access to the Kubernetes cluster or external resources
whose credentials are stored as secrets.
Impact:
Care should be taken not to remove access to secrets to system components which
require this for their operation
Audit:
Review the users who have get, list or watch access to secrets objects in the
Kubernetes API.
Remediation:
Where possible, remove get, list and watch access to secret objects in the cluster.
Page 21
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 22
• Level 1
Description:
Kubernetes Roles and ClusterRoles provide access to resources based on sets of
objects and actions that can be taken on those objects. It is possible to set either of
these to be the wildcard "*", which matches all items.
Use of wildcards is not optimal from a security perspective as it may allow for
inadvertent access to be granted when new resources are added to the Kubernetes API
either as CRDs or in later versions of the product.
Rationale:
The principle of least privilege recommends that users are provided only the access
required for their role and nothing more. The use of wildcard rights grants is likely to
provide excessive rights to the Kubernetes API.
Audit:
Retrieve the roles defined across each namespaces in the cluster and review for
wildcards
kubectl get roles --all-namespaces -o yaml
Retrieve the cluster roles defined in the cluster and review for wildcards
kubectl get clusterroles -o yaml
Remediation:
Where possible replace any use of wildcards in clusterroles and roles with specific
objects or actions.
References:
1. https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Page 23
Controls
Control IG 1 IG 2 IG 3
Version
Page 24
• Level 1
Description:
The default service account should not be used to ensure that rights granted to
applications can be more easily audited and reviewed.
Rationale:
Kubernetes provides a default service account which is used by cluster workloads
where no specific service account is assigned to the pod.
Where access to the Kubernetes API from a pod is required, a specific service account
should be created for that pod, and rights granted to that service account.
The default service account should be configured such that it does not provide a service
account token and does not have any explicit rights assignments.
Impact:
All workloads which require access to the Kubernetes API will require an explicit service
account to be created.
Audit:
For each namespace in the cluster, review the rights assigned to the default service
account and ensure that it has no roles or cluster roles bound to it apart from the
defaults.
Additionally ensure that the automountServiceAccountToken: false setting is in
place for each default service account.
Remediation:
Create explicit service accounts wherever a Kubernetes workload requires specific
access to the Kubernetes API server.
Modify the configuration of each default service account to include this value
automountServiceAccountToken: false
Default Value:
By default the default service account allows for its service account token to be
mounted in pods in its namespace.
Page 25
1. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-
account/
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 26
• Level 1
Description:
Service accounts tokens should not be mounted in pods except where the workload
running in the pod explicitly needs to communicate with the API server
Rationale:
Mounting service account tokens inside pods can provide an avenue for privilege
escalation attacks where an attacker is able to compromise a single pod in the cluster.
Avoiding mounting these tokens removes this attack avenue.
Impact:
Pods mounted without service account tokens will not be able to communicate with the
API server, except where the resource is available to unauthenticated principals.
Audit:
Review pod and service account objects in the cluster and ensure that the option below
is set, unless the resource explicitly requires this access.
automountServiceAccountToken: false
Remediation:
Modify the definition of pods and service accounts which do not need to mount service
account tokens to disable it.
Default Value:
By default, all pods get a service account token mounted in them.
References:
1. https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-
account/
Page 27
Controls
Control IG 1 IG 2 IG 3
Version
Page 28
• Level 1
Description:
The special group system:masters should not be used to grant permissions to any
user or service account, except where strictly necessary (e.g. bootstrapping access
prior to RBAC being fully available)
Rationale:
The system:masters group has unrestricted access to the Kubernetes API hard-coded
into the API server source code. An authenticated user who is a member of this group
cannot have their access reduced, even if all bindings and cluster role bindings which
mention it, are removed.
When combined with client certificate authentication, use of this group can allow for
irrevocable cluster-admin level credentials to exist for a cluster.
GKE includes the CertificateSubjectRestriction admission controller which
rejects requests for the system:masters group.
CertificateSubjectRestriction "This admission controller observes creation of
CertificateSigningRequest resources that have a spec.signerName of
kubernetes.io/kube-apiserver-client. It rejects any request that specifies a 'group' (or
'organization attribute') of system:masters." https://kubernetes.io/docs/reference/access-
authn-authz/admission-controllers/#certificatesubjectrestriction
Impact:
Once the RBAC system is operational in a cluster system:masters should not be
specifically required, as ordinary bindings from principals to the cluster-admin cluster
role can be made where unrestricted access is required.
Audit:
Review a list of all credentials which have access to the cluster and ensure that the
group system:masters is not used.
Remediation:
Remove the system:masters group from all users in the cluster.
Default Value:
By default some clusters will create a "break glass" client certificate which is a member
of this group. Access to this client certificate should be carefully controlled and it should
not be used for general cluster operations.
Page 29
1. https://github.com/kubernetes/kubernetes/blob/master/pkg/registry/rbac/escalatio
n_check.go#L38
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 30
• Level 1
Description:
Cluster roles and roles with the impersonate, bind or escalate permissions should not
be granted unless strictly required. Each of these permissions allow a particular subject
to escalate their privileges beyond those explicitly granted by cluster administrators
Rationale:
The impersonate privilege allows a subject to impersonate other users gaining their
rights to the cluster. The bind privilege allows the subject to add a binding to a cluster
role or role which escalates their effective permissions in the cluster. The escalate
privilege allows a subject to modify cluster roles to which they are bound, increasing
their rights to that level.
Each of these permissions has the potential to allow for privilege escalation to cluster-
admin level.
Impact:
There are some cases where these permissions are required for cluster service
operation, and care should be taken before removing these permissions from system
service accounts.
Audit:
Review the users who have access to cluster roles or roles which provide the
impersonate, bind or escalate privileges.
Remediation:
Where possible, remove the impersonate, bind and escalate rights from subjects.
Default Value:
References:
1. https://www.impidio.com/blog/kubernetes-rbac-security-pitfalls
2. https://raesene.github.io/blog/2020/12/12/Escalating_Away/
3. https://raesene.github.io/blog/2021/01/16/Getting-Into-A-Bind-with-Kubernetes/
Page 31
Controls
Control IG 1 IG 2 IG 3
Version
Page 32
• Level 1
Description:
Avoid ClusterRoleBindings nor RoleBindings with the user system:anonymous.
Rationale:
Kubernetes assigns user system:anonymous to API server requests that have no
authentication information provided. Binding a role to user system:anonymous gives
any unauthenticated user the permissions granted by that role and is strongly
discouraged.
Impact:
Unauthenticated users will have privileges and permissions associated with roles
associated with the configured bindings.
Care should be taken before removing any clusterrolebindings or rolebindings
from the environment to ensure they were not required for operation of the cluster. Use
a more specific and authenticated user for cluster operations.
Audit:
Both CusterRoleBindings and RoleBindings should be audited. Use the following
command to confirm there are no ClusterRoleBindings to system:anonymous:
$ kubectl get clusterrolebindings -o json | jq -r '["Name"], ["-----"],
(.items[] | select((.subjects | length) > 0) | select(any(.subjects[]; .name
== "system:anonymous")) | [.metadata.namespace, .metadata.name]) | @tsv'
Page 33
Remediation:
Identify all clusterrolebindings and rolebindings to the user system:anonymous.
Check if they are used and review the permissions associated with the binding using the
commands in the Audit section above or refer to GKE documentation.
Strongly consider replacing unsafe bindings with an authenticated, user-defined group.
Where possible, bind to non-default, user-defined groups with least-privilege roles.
If there are any unsafe bindings to the user system:anonymous, proceed to delete them
after consideration for cluster operations with only necessary, safer bindings.
kubectl delete clusterrolebinding
[CLUSTER_ROLE_BINDING_NAME]
kubectl delete rolebinding
[ROLE_BINDING_NAME]
--namespace
[ROLE_BINDING_NAMESPACE]
Default Value:
No clusterrolebindings nor rolebindings with user system:anonymous.
References:
1. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles
Page 34
• Level 1
Description:
Avoid non-default ClusterRoleBindings and RoleBindings with the group
system:unauthenticated, except the ClusterRoleBinding system:public-info-
viewer.
Rationale:
Kubernetes assigns the group system:unauthenticated to API server requests that
have no authentication information provided. Binding a role to this group gives any
unauthenticated user the permissions granted by that role and is strongly discouraged.
Impact:
Unauthenticated users will have privileges and permissions associated with roles
associated with the configured bindings.
Care should be taken before removing any non-default clusterrolebindings or
rolebindings from the environment to ensure they were not required for operation of
the cluster. Leverage a more specific and authenticated user for cluster operations.
Audit:
Both CusterRoleBindings and RoleBindings should be audited. Use the following
command to confirm there are no non-default ClusterRoleBindings to group
system:unauthenticated:
$ kubectl get clusterrolebindings -o json | jq -r '["Name"], ["-----"],
(.items[] | select((.subjects | length) > 0) | select(any(.subjects[]; .name
== "system:unauthenticated")) | [.metadata.namespace, .metadata.name]) |
@tsv'
Page 35
Remediation:
Identify all non-default clusterrolebindings and rolebindings to the group
system:unauthenticated. Check if they are used and review the permissions
associated with the binding using the commands in the Audit section above or refer to
GKE documentation.
Strongly consider replacing non-default, unsafe bindings with an authenticated, user-
defined group. Where possible, bind to non-default, user-defined groups with least-
privilege roles.
If there are any non-default, unsafe bindings to the group system:unauthenticated,
proceed to delete them after consideration for cluster operations with only necessary,
safer bindings.
kubectl delete clusterrolebinding
[CLUSTER_ROLE_BINDING_NAME]
kubectl delete rolebinding
[ROLE_BINDING_NAME]
--
namespace
[ROLE_BINDING_NAMESPACE]
Default Value:
• system:public-info-viewer
Page 36
1. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles
Page 37
• Level 1
Description:
Avoid non-default ClusterRoleBindings and RoleBindings with the group
system:authenticated, except the ClusterRoleBindings system:basic-user,
system:discovery, and system:public-info-viewer.
Google's approach to authentication is to make authenticating to Google Cloud and
GKE as simple and secure as possible without adding complex configuration steps. The
group system:authenticated includes all users with a Google account, which
includes all Gmail accounts. Consider your authorization controls with this extended
group scope when granting permissions. Thus, group system:authenticated is not
recommended for non-default use.
Rationale:
GKE assigns the group system:authenticated to API server requests made by any
user who is signed in with a Google Account, including all Gmail accounts. In practice,
this isn't meaningfully different from system:unauthenticated because anyone can
create a Google Account.
Binding a role to the group system:authenticated gives any user with a Google
Account, including all Gmail accounts, the permissions granted by that role and is
strongly discouraged.
Impact:
Authenticated users in group system:authenticated should be treated similarly to
users in system:unauthenticated, having privileges and permissions associated with
roles associated with the configured bindings.
Care should be taken before removing any non-default clusterrolebindings or
rolebindings from the environment to ensure they were not required for operation of
the cluster. Leverage a more specific and authenticated user for cluster operations.
Audit:
Page 38
Remediation:
Identify all non-default clusterrolebindings and rolebindings to the group
system:authenticated. Check if they are used and review the permissions associated
with the binding using the commands in the Audit section above or refer to GKE
documentation.
Strongly consider replacing non-default, unsafe bindings with an authenticated, user-
defined group. Where possible, bind to non-default, user-defined groups with least-
privilege roles.
If there are any non-default, unsafe bindings to the group system:authenticated,
proceed to delete them after consideration for cluster operations with only necessary,
safer bindings.
Page 39
Default Value:
ClusterRoleBindings with group system:authenticated:
• system:basic-user
• system:discovery
References:
1. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles
Page 40
Page 41
• Level 1
Description:
The Pod Security Standard Baseline profile defines a baseline for container security.
You can enforce this by using the built-in Pod Security Admission controller.
Rationale:
Without an active mechanism to enforce the Pod Security Standard Baseline profile, it is
not possible to limit the use of containers with access to underlying cluster nodes, via
mechanisms like privileged containers, or the use of hostPath volume mounts.
Audit:
Run the following command to list the namespaces that don't have the the baseline
policy enforced.
diff \
<(kubectl get namespace -l pod-security.kubernetes.io/enforce=baseline -o
jsonpath='{range .items[*]}{.metadata.name}{"\n"}') \
<(kubectl get namespace -o jsonpath='{range
.items[*]}{.metadata.name}{"\n"}')
Remediation:
Ensure that Pod Security Admission is in place for every namespace which contains
user workloads.
Run the following command to enforce the Baseline profile in a namespace:
kubectl label namespace <namespace-name> pod-
security.kubernetes.io/enforce=baseline
Default Value:
By default, Pod Security Admission is enabled but no policies are in place.
References:
1. https://kubernetes.io/docs/concepts/security/pod-security-admission
2. https://kubernetes.io/docs/concepts/security/pod-security-standards
3. https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-
posture-dashboard
Page 42
Controls
Control IG 1 IG 2 IG 3
Version
Page 43
Page 44
• Level 2
Description:
Use network policies to isolate traffic in the cluster network.
Rationale:
Running different applications on the same Kubernetes cluster creates a risk of one
compromised application attacking a neighboring application. Network segmentation is
important to ensure that containers can communicate only with those they are supposed
to. A network policy is a specification of how selections of pods are allowed to
communicate with each other and other network endpoints.
Network Policies are namespace scoped. When a network policy is introduced to a
given namespace, all traffic not allowed by the policy is denied. However, if there are no
network policies in a namespace all traffic will be allowed into and out of the pods in that
namespace.
Impact:
Once network policies are in use within a given namespace, traffic not explicitly allowed
by a network policy will be denied. As such it is important to ensure that, when
introducing network policies, legitimate traffic is not blocked.
Audit:
Run the below command and review the NetworkPolicy objects created in the cluster.
kubectl get networkpolicy --all-namespaces
ensure that each namespace defined in the cluster has at least one Network
Policy.
Remediation:
Follow the documentation and create NetworkPolicy objects as needed.
See: https://cloud.google.com/kubernetes-engine/docs/how-to/network-
policy#creating_a_network_policy for more information.
Default Value:
By default, network policies are not created.
Page 45
1. https://cloud.google.com/kubernetes-engine/docs/how-to/network-
policy#creating_a_network_policy
2. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
3. https://cloud.google.com/kubernetes-engine/docs/concepts/network-overview
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 46
Page 47
• Level 2
Description:
Consider the use of an external secrets storage and management system instead of
using Kubernetes Secrets directly, if more complex secret management is required.
Ensure the solution requires authentication to access secrets, has auditing of access to
and use of secrets, and encrypts secrets. Some solutions also make it easier to rotate
secrets.
Rationale:
Kubernetes supports secrets as first-class objects, but care needs to be taken to ensure
that access to secrets is carefully limited. Using an external secrets provider can ease
the management of access to secrets, especially where secrests are used across both
Kubernetes and non-Kubernetes environments.
Impact:
None
Audit:
Review your secrets management implementation.
Remediation:
Refer to the secrets management options offered by the cloud service provider or a
third-party secrets management solution.
Default Value:
By default, no external secret management is configured.
References:
1. https://kubernetes.io/docs/concepts/configuration/secret/
2. https://cloud.google.com/secret-manager/docs/overview
Page 48
Controls
Control IG 1 IG 2 IG 3
Version
3 Data Protection
v8 Develop processes and technical controls to identify, classify, securely
handle, retain, and dispose of data.
v7 13 Data Protection
Data Protection
Page 49
Page 50
• Level 2
Description:
Configure Image Provenance for the deployment.
Rationale:
Kubernetes supports plugging in provenance rules to accept or reject the images in
deployments. Rules can be configured to ensure that only approved images are
deployed in the cluster.
Impact:
Regular maintenance for the provenance configuration should be carried out, based on
container image updates.
Audit:
Review the pod definitions in the cluster and verify that image provenance is configured
as appropriate.
Remediation:
Follow the Kubernetes documentation and setup image provenance.
Default Value:
By default, image provenance is not set.
References:
1. https://kubernetes.io/docs/concepts/containers/images/
2. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
Page 51
Controls
Control IG 1 IG 2 IG 3
Version
Page 52
These policies relate to general cluster management topics, like namespace best
practices and policies applied to pod objects in the cluster.
Page 53
• Level 1
Description:
Use namespaces to isolate your Kubernetes objects.
Rationale:
Limiting the scope of user permissions can reduce the impact of mistakes or malicious
activities. A Kubernetes namespace allows you to partition created resources into
logically named groups. Resources created in one namespace can be hidden from
other namespaces. By default, each resource created by a user in Kubernetes cluster
runs in a default namespace, called default. You can create additional namespaces
and attach resources and users to them. You can use Kubernetes Authorization plugins
to create policies that segregate access to namespace resources between different
users.
Impact:
You need to switch between namespaces for administration.
Audit:
Run the below command and review the namespaces created in the cluster.
kubectl get namespaces
Ensure that these namespaces are the ones you need and are adequately administered
as per your requirements.
Remediation:
Follow the documentation and create namespaces for objects in your deployment as
you need them.
Default Value:
By default, Kubernetes starts with two initial namespaces:
Page 54
1. https://kubernetes.io/docs/concepts/overview/working-with-
objects/namespaces/#viewing-namespaces
2. http://blog.kubernetes.io/2016/08/security-best-practices-kubernetes-
deployment.html
3. https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/589-
efficient-node-heartbeats
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
v7 12 Boundary Defense
Boundary Defense
Page 55
• Level 2
Description:
Enable RuntimeDefault seccomp profile in the pod definitions.
Rationale:
Seccomp (secure computing mode) is used to restrict the set of system calls
applications can make, allowing cluster administrators greater control over the security
of workloads running in the cluster. Kubernetes disables seccomp profiles by default for
historical reasons. It should be enabled to ensure that the workloads have restricted
actions available within the container.
Impact:
If the RuntimeDefault seccomp profile is too restrictive for you, you would have to
create/manage your own Localhost seccomp profiles.
Audit:
Review the pod definitions output for all namespaces in the cluster with the command
below.
kubectl get pods --all-namespaces -o json | jq -r '.items[] |
select(.metadata.annotations."seccomp.security.alpha.kubernetes.io/pod" ==
"runtime/default" or .spec.securityContext.seccompProfile.type ==
"RuntimeDefault") | {namespace: .metadata.namespace, name: .metadata.name,
seccompProfile: .spec.securityContext.seccompProfile.type}'
Remediation:
Use security context to enable the RuntimeDefault seccomp profile in your pod
definitions. An example is as below:
{
"namespace": "kube-system",
"name": "metrics-server-v0.7.0-dbcc8ddf6-gz7d4",
"seccompProfile": "RuntimeDefault"
}
Default Value:
By default, seccomp profile is set to unconfined which means that no seccomp profiles
are enabled.
Page 56
1. https://kubernetes.io/docs/tutorials/security/seccomp/
2. https://cloud.google.com/kubernetes-engine/docs/concepts/seccomp-in-gke
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 57
• Level 2
Description:
Apply Security Context to Pods and Containers
Rationale:
A security context defines the operating system security settings (uid, gid, capabilities,
SELinux role, etc..) applied to a container. When designing containers and pods, make
sure that the security context is configured for pods, containers, and volumes. A security
context is a property defined in the deployment yaml. It controls the security parameters
that will be assigned to the pod/container/volume. There are two levels of security
context: pod level security context, and container level security context.
Impact:
If you incorrectly apply security contexts, there may be issues running the pods.
Audit:
Review the pod definitions in the cluster and verify that the security contexts have been
defined as appropriate.
Remediation:
Follow the Kubernetes documentation and apply security contexts to your pods. For a
suggested list of security contexts, you may refer to the CIS Google Container-
Optimized OS Benchmark.
Default Value:
By default, no security contexts are automatically applied to pods.
References:
1. https://kubernetes.io/docs/concepts/workloads/pods/
2. https://kubernetes.io/docs/concepts/containers/
3. https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
4. https://learn.cisecurity.org/benchmarks
Page 58
Controls
Control IG 1 IG 2 IG 3
Version
Page 59
• Level 2
Description:
Kubernetes provides a default namespace, where objects are placed if no namespace
is specified for them. Placing objects in this namespace makes application of RBAC and
other controls more difficult.
Rationale:
Resources in a Kubernetes cluster should be segregated by namespace, to allow for
security controls to be applied at that level and to make it easier to manage resources.
Impact:
None
Audit:
Remediation:
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace.
Default Value:
Page 60
Controls
Control IG 1 IG 2 IG 3
Version
5 Managed services
This section consists of security recommendations for the direct configuration of GKE
AutoPilot managed service components, namely, Google Kubernetes Engine (GKE)
AutoPilot mode. These recommendations are directly applicable for features which exist
only as part of a managed service.
Page 61
Page 62
• Level 2
Description:
Note: GCR is now deprecated, being superseded by Artifact Registry starting 15th May
2024. Runtime Vulnerability scanning is available via GKE Security Posture
Scan images stored in Google Container Registry (GCR) or Artifact Registry (AR) for
vulnerabilities.
Rationale:
Vulnerabilities in software packages can be exploited by malicious users to obtain
unauthorized access to local cloud resources. GCR Container Analysis API or Artifact
Registry Container Scanning API allow images stored in GCR or AR respectively to be
scanned for known vulnerabilities.
Impact:
None.
Audit:
Page 63
1. Go to AR by visiting https://console.cloud.google.com/artifacts
2. Select Settings and check if Vulnerability scanning is Enabled.
Ensure that Container Scanning API and Artifact Registry API are listed in the
output.
Remediation:
Page 64
Default Value:
1. https://cloud.google.com/artifact-registry/docs/analysis
2. https://cloud.google.com/artifact-analysis/docs/os-overview
3. https://console.cloud.google.com/marketplace/product/google/containerregistry.g
oogleapis.com
4. https://cloud.google.com/kubernetes-engine/docs/concepts/about-configuration-
scanning
5. https://containersecurity.googleapis.com
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 65
• Level 2
Description:
Note: GCR is now deprecated, see the references for more details.
Restrict user access to GCR or AR, limiting interaction with build images to only
authorized personnel and service accounts.
Rationale:
Weak access control to GCR or AR may allow malicious users to replace built images
with vulnerable or back-doored containers.
Impact:
Care should be taken not to remove access to GCR or AR for accounts that require this
for their operation. Any account granted the Storage Object Viewer role at the project
level can view all objects stored in GCS for the project.
Audit:
Users may have permissions to use Service Accounts and thus Users could inherit
privileges on the AR repositories. To check the accounts that could do this:
Note that other privileged project level roles will have the ability to write and modify AR
repositories. Consult the GCP CIS benchmark and IAM documentation for further
reference.
Using Command Line:
Page 66
The output of the command will return roles associated with the AR repository and
which members have those roles.
Users may have permissions to use Service Accounts and thus Users could inherit
privileges on the GCR Bucket. To check the accounts that could do this:
Note that other privileged project level roles will have the ability to write and modify
objects and the GCR bucket. Consult the GCP CIS benchmark and IAM documentation
for further reference.
Using Command Line:
To check GCR bucket specific permissions
gsutil iam get gs://artifacts.<project_id>.appspot.com
The output of the command will return roles associated with the GCR bucket and which
members have those roles.
Additionally, run the following to identify users and service accounts that hold privileged
roles at the project level, and thus inherit these privileges within the GCR bucket:
Page 67
Page 68
For a User or Service account with Project level permissions inherited by the GCR
bucket, or the Service Account User Role:
Then remove the excessively privileged role (Storage Admin / Storage Object
Admin / Storage Object Creator) using:
gsutil iam ch -d <type>:<email_address>:<role>
gs://artifacts.<project_id>.appspot.com
where:
•
<type> can be one of the following:
o user, if the <email_address> is a Google account.
o serviceAccount, if <email_address> specifies a Service account.
o <email_address> can be one of the following:
▪ a Google account (for example, [email protected]).
▪ a Cloud IAM service account.
To modify roles defined at the project level and subsequently inherited within the GCR
bucket, or the Service Account User role, extract the IAM policy file, modify it
accordingly and apply it using:
Page 69
Default Value:
By default, GCR is disabled and access controls are set during initialisation.
References:
1. https://cloud.google.com/container-registry/docs/
2. https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts
3. https://cloud.google.com/kubernetes-engine/docs/how-to/iam
4. https://cloud.google.com/artifact-registry/docs/access-control#grant
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 70
• Level 2
Description:
Note: GCR is now deprecated, see the references for more details.
Configure the Cluster Service Account with Artifact Registry Viewer Role to only allow
read-only access to AR repositories. Configure the Cluster Service Account with
Storage Object Viewer Role to only allow read-only access to GCR.
Rationale:
The Cluster Service Account does not require administrative access to GCR or AR, only
requiring pull access to containers to deploy onto GKE. Restricting permissions follows
the principles of least privilege and prevents credentials from being abused beyond the
required role.
Impact:
A separate dedicated service account may be required for use by build servers and
other robot users pushing or managing container images.
Any account granted the Storage Object Viewer role at the project level can view all
objects stored in GCS for the project.
Audit:
The output of the command will return roles associated with the AR repository. If listed,
ensure the GKE Service account is set to "role":
"roles/artifactregistry.reader".
Page 71
Your GKE Service Account should not be output when this command is run.
Remediation:
Page 72
For an account that inherits access to the bucket through Project level permissions:
•
<type> can be one of the following:
o user, if the <email_address> is a Google account.
o serviceAccount, if <email_address> specifies a Service account.
Page 73
Then remove the excessively privileged role (Storage Admin / Storage Object
Admin / Storage Object Creator) using:
gsutil iam ch -d <type>:<email_address>:<role>
gs://artifacts.<project_id>.appspot.com
For an account that inherits access to the GCR Bucket through Project level
permissions, modify the Projects IAM policy file accordingly, then upload it using:
gcloud projects set-iam-policy <project_id> <policy_file>
Default Value:
The default permissions for the cluster Service account is dependent on the initial
configuration and IAM policy.
References:
1. https://cloud.google.com/container-registry/docs/
2. https://cloud.google.com/kubernetes-engine/docs/how-to/service-accounts
3. https://cloud.google.com/kubernetes-engine/docs/how-to/iam
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 74
• Level 2
Description:
Use Binary Authorization to allowlist (whitelist) only approved container registries.
Rationale:
Allowing unrestricted access to external container registries provides the opportunity for
malicious or unapproved containers to be deployed into the cluster. Ensuring only
trusted container images are used reduces this risk.
Also see recommendation 5.10.4.
Impact:
All container images to be deployed to the cluster must be hosted within an approved
container image registry. If public registries are not on the allowlist, a process for
bringing commonly used container images into an approved private registry and
keeping them up to date will be required.
Audit:
Using Google Cloud Console:
Check that Binary Authorization is enabled for the GKE cluster:
Page 75
Remediation:
Using Google Cloud Console:
Create a Binary Authorization Policy using the Binary Authorization Policy Reference:
https://cloud.google.com/binary-authorization/docs/policy-yaml-reference for guidance.
Import the policy file into Binary Authorization:
gcloud container binauthz policy import <yaml_policy>
Default Value:
By default, Binary Authorization is disabled along with container registry allowlisting.
Page 76
1. https://cloud.google.com/binary-authorization/docs/policy-yaml-reference
2. https://cloud.google.com/binary-authorization/docs/setting-up
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 77
This section contains recommendations relating to using Cloud IAM with GKE.
Page 78
• Level 2
Description:
Create and use minimally privileged Service accounts to run GKE clusters instead of
using the Compute Engine default Service account. Unnecessary permissions could be
abused in the case of a node compromise.
Rationale:
A GCP service account (as distinct from a Kubernetes ServiceAccount) is an identity
that an instance or an application can be used to run GCP API requests. This identity is
used to identify virtual machine instances to other Google Cloud Platform services. By
default, Kubernetes Engine nodes use the Compute Engine default service account.
This account has broad access by default, as defined by access scopes, making it
useful to a wide variety of applications on the VM, but it has more permissions than are
required to run your Kubernetes Engine cluster.
A minimally privileged service account should be created and used to run the
Kubernetes Engine cluster instead of using the Compute Engine default service
account, and create separate service accounts for each Kubernetes Workload (See
recommendation 5.2.2).
Kubernetes Engine requires, at a minimum, the node service account to have the
monitoring.viewer, monitoring.metricWriter, and logging.logWriter roles.
Additional roles may need to be added for the nodes to pull images from GCR.
Impact:
Instances are automatically granted the https://www.googleapis.com/auth/cloud-
platform scope to allow full access to all Google Cloud APIs. This is so that the IAM
permissions of the instance are completely determined by the IAM roles of the Service
account. Thus if Kubernetes workloads were using cluster access scopes to perform
actions using Google APIs, they may no longer be able to, if not permitted by the
permissions of the Service account. To remediate, follow recommendation 5.2.2.
The Service account roles listed here are the minimum required to run the cluster.
Additional roles may be required to pull from a private instance of Google Container
Registry (GCR).
Audit:
Using Google Cloud Console:
Page 79
To check the permissions allocated to the service account are the minimum required for
cluster operation:
• Logs Writer
• Monitoring Metric Writer
• Monitoring Viewer
The output of the above command will return default if default Service account is used
for Project access.
To check that the permissions allocated to the service account are the minimum
required for cluster operation:
gcloud projects get-iam-policy <project_id> \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<service_account>"
Review the output to ensure that the service account only has the roles required to run
the cluster:
• roles/logging.logWriter
• roles/monitoring.metricWriter
• roles/monitoring.viewer
Remediation:
Using Google Cloud Console:
To create a minimally privileged service account:
Page 80
Note: A new cluster will need to be created specifying the minimally privileged service
account, and workloads will need to be migrated to the new cluster and the old cluster
deleted.
Using Command Line:
To create a minimally privileged service account:
gcloud iam service-accounts create <node_sa_name> --display-name "GKE Node
Service Account"
export NODE_SA_EMAIL=gcloud iam service-accounts list --format='value(email)'
--filter='displayName:GKE Node Service Account'
Default Value:
By default, nodes use the Compute Engine default service account when you create a
new cluster.
References:
1. https://cloud.google.com/compute/docs/access/service-
accounts#compute_engine_default_service_account
Page 81
Controls
Control IG 1 IG 2 IG 3
Version
Page 82
This section contains recommendations relating to using Cloud KMS with GKE.
Page 83
• Level 2
Description:
Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customer-
managed key in Cloud KMS.
Rationale:
By default, GKE encrypts customer content stored at rest, including Secrets. GKE
handles and manages this default encryption for you without any additional action on
your part.
Application-layer Secrets Encryption provides an additional layer of security for sensitive
data, such as user defined Secrets and Secrets required for the operation of the cluster,
such as service account keys, which are all stored in etcd.
Using this functionality, you can use a key, that you manage in Cloud KMS, to encrypt
data at the application layer. This protects against attackers in the event that they
manage to gain access to etcd.
Impact:
To use the Cloud KMS CryptoKey to protect etcd in the cluster, the 'Kubernetes Engine
Service Agent' Service account must hold the 'Cloud KMS CryptoKey
Encrypter/Decrypter' role.
Audit:
Using Google Cloud Console:
If configured correctly, the output from the command returns a response containing the
following detail:
Page 84
{
"currentState": "CURRENT_STATE_ENCRYPTED",
"keyName": "projects/<key_project_id>/locations/us-
central1/keyRings/<ring_name>/cryptoKeys/<key_name>",
"state": "ENCRYPTED"
}
Remediation:
To enable Application-layer Secrets Encryption, several configuration items are
required. These include:
• A key ring
• A key
• A GKE service account with Cloud KMS CryptoKey Encrypter/Decrypter
role
Page 85
Create a key:
gcloud kms keys create <key_name> --location <location> --keyring <ring_name>
--purpose encryption --project <key_project_id>
Grant the Kubernetes Engine Service Agent service account the Cloud KMS
CryptoKey Encrypter/Decrypter role:
gcloud kms keys add-iam-policy-binding <key_name> --location <location> --
keyring <ring_name> --member serviceAccount:<service_account_name> --role
roles/cloudkms.cryptoKeyEncrypterDecrypter --project <key_project_id>
To create a new cluster with Application-layer Secrets Encryption:
gcloud container clusters create <cluster_name> --cluster-version=latest --
zone <zone> --database-encryption-key
projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKey
s/<key_name> --project <cluster_project_id>
Default Value:
By default, Application-layer Secrets Encryption is disabled.
References:
1. https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets
Page 86
Controls
Control IG 1 IG 2 IG 3
Version
Page 87
Page 88
• Level 1
Description:
Enable VPC Flow Logs and Intranode Visibility to see pod-level traffic, even for traffic
within a worker node.
Rationale:
Enabling Intranode Visibility makes intranode pod to pod traffic visible to the networking
fabric. With this feature, VPC Flow Logs or other VPC features can be used for
intranode traffic.
Impact:
Enabling it on existing cluster causes the cluster master and the cluster nodes to restart,
which might cause disruption.
Audit:
Using Google Cloud Console:
Remediation:
Enable Intranode Visibility:
Using Google Cloud Console:
Page 89
Default Value:
By default, Intranode Visibility is disabled.
References:
1. https://cloud.google.com/kubernetes-engine/docs/how-to/intranode-visibility
2. https://cloud.google.com/vpc/docs/using-flow-logs
Page 90
Controls
Control IG 1 IG 2 IG 3
Version
Page 91
• Level 2
Description:
Enable Control Plane Authorized Networks to restrict access to the cluster's control
plane to only an allowlist of authorized IPs.
Rationale:
Authorized networks are a way of specifying a restricted range of IP addresses that are
permitted to access your cluster's control plane. Kubernetes Engine uses both
Transport Layer Security (TLS) and authentication to provide secure access to your
cluster's control plane from the public internet. This provides you the flexibility to
administer your cluster from anywhere; however, you might want to further restrict
access to a set of IP addresses that you control. You can set this restriction by
specifying an authorized network.
Control Plane Authorized Networks blocks untrusted IP addresses. Google Cloud
Platform IPs (such as traffic from Compute Engine VMs) can reach your master through
HTTPS provided that they have the necessary Kubernetes credentials.
Restricting access to an authorized network can provide additional security benefits for
your container cluster, including:
Impact:
When implementing Control Plane Authorized Networks, be careful to ensure all desired
networks are on the allowlist to prevent inadvertently blocking external access to your
cluster's control plane.
Audit:
Using Google Cloud Console:
Page 92
Remediation:
Using Google Cloud Console:
Along with this, you can list authorized networks using the --master-authorized-
networks flag which contains a list of up to 20 external networks that are allowed to
connect to your cluster's control plane through HTTPS. You provide these networks as
a comma-separated list of addresses in CIDR notation (such as 90.90.100.0/24).
Default Value:
By default, Control Plane Authorized Networks is disabled.
Page 93
1. https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 94
• Level 2
Description:
Disable access to the Kubernetes API from outside the node network if it is not required.
Rationale:
In a private cluster, the master node has two endpoints, a private and public endpoint.
The private endpoint is the internal IP address of the master, behind an internal load
balancer in the master's VPC network. Nodes communicate with the master using the
private endpoint. The public endpoint enables the Kubernetes API to be accessed from
outside the master's VPC network.
Although Kubernetes API requires an authorized token to perform sensitive actions, a
vulnerability could potentially expose the Kubernetes publically with unrestricted access.
Additionally, an attacker may be able to identify the current cluster and Kubernetes API
version and determine whether it is vulnerable to an attack. Unless required, disabling
public endpoint will help prevent such threats, and require the attacker to be on the
master's VPC network to perform any attack on the Kubernetes API.
Impact:
To enable a Private Endpoint, the cluster has to also be configured with private nodes, a
private master IP range and IP aliasing enabled.
If the Private Endpoint flag --enable-private-endpoint is passed to the gcloud CLI,
or the external IP address undefined in the Google Cloud Console during cluster
creation, then all access from a public IP address is prohibited.
Audit:
Page 95
The output of the above command returns true if a Private Endpoint is enabled with
Public Access disabled.
Remediation:
Once a cluster is created without enabling Private Endpoint only, it cannot be
remediated. Rather, the cluster must be recreated.
Using Google Cloud Console:
Default Value:
By default, the Private Endpoint is disabled.
References:
1. https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 96
v7 12 Boundary Defense
Boundary Defense
Page 97
• Level 2
Description:
Private Nodes are nodes with no public IP addresses. Disable public IP addresses for
cluster nodes, so that they only have private IP addresses.
Rationale:
Disabling public IP addresses on cluster nodes restricts access to only internal
networks, forcing attackers to obtain local network access before attempting to
compromise the underlying Kubernetes hosts.
Impact:
To enable Private Nodes, the cluster has to also be configured with a private master IP
range and IP Aliasing enabled.
Private Nodes do not have outbound access to the public internet. If you want to provide
outbound Internet access for your private nodes, you can use Cloud NAT or you can
manage your own NAT gateway.
To access Google Cloud APIs and services from private nodes, Private Google Access
needs to be set on Kubernetes Engine Cluster Subnets.
Audit:
Using Google Cloud Console:
The output of the above command returns true if Private Nodes is enabled.
Remediation:
Page 98
Default Value:
By default, Private Nodes are disabled.
References:
1. https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
v7 12 Boundary Defense
Boundary Defense
Page 99
• Level 2
Description:
Encrypt traffic to HTTPS load balancers using Google-managed SSL certificates.
Rationale:
Encrypting traffic between users and the Kubernetes workload is fundamental to
protecting data sent over the web.
Google-managed SSL Certificates are provisioned, renewed, and managed for domain
names. This is only available for HTTPS load balancers created using Ingress
Resources, and not TCP/UDP load balancers created using Service of
type:LoadBalancer.
Impact:
Google-managed SSL Certificates are less flexible than certificates that are self
obtained and managed. Managed certificates support a single, non-wildcard domain.
Self-managed certificates can support wildcards and multiple subject alternative names
(SANs).
Audit:
Using Command Line:
Identify if there are any workloads exposed publicly using Services of
type:LoadBalancer:
kubectl get svc -A -o json | jq '.items[] |
select(.spec.type=="LoadBalancer")'
Consider using ingresses instead of these services in order to use Google managed
SSL certificates.
For the ingresses within the cluster, run the following command:
kubectl get ingress -A -o json | jq .items[] | jq '{name: .metadata.name,
annotations: .metadata.annotations, namespace: .metadata.namespace, status:
.status}'
The above command should return the name of the ingress, namespace, annotations
and status. Check that the following annotation is present to ensure managed
certificates are referenced.
Page 100
Remediation:
If services of type:LoadBalancer are discovered, consider replacing the Service with
an Ingress.
To configure the Ingress and use Google-managed SSL certificates, follow the
instructions as listed at: https://cloud.google.com/kubernetes-engine/docs/how-
to/managed-certs.
Default Value:
By default, Google-managed SSL Certificates are not created when an Ingress resource
is defined.
References:
1. https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
2. https://cloud.google.com/kubernetes-engine/docs/concepts/ingress
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 101
Page 102
• Level 2
Description:
Cluster Administrators should leverage G Suite Groups and Cloud IAM to assign
Kubernetes user roles to a collection of users, instead of to individual emails using only
Cloud IAM.
Rationale:
On- and off-boarding users is often difficult to automate and prone to error. Using a
single source of truth for user permissions via G Suite Groups reduces the number of
locations that an individual must be off-boarded from, and prevents users gaining
unique permissions sets that increase the cost of audit.
Impact:
When migrating to using security groups, an audit of RoleBindings and
ClusterRoleBindings is required to ensure all users of the cluster are managed using
the new groups and not individually.
When managing RoleBindings and ClusterRoleBindings, be wary of inadvertently
removing bindings required by service accounts.
Audit:
Using G Suite Admin Console and Google Cloud Console
Page 103
1. https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac
2. https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-
control
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 104
Page 105
• Level 2
Description:
Use Customer-Managed Encryption Keys (CMEK) to encrypt dynamically-provisioned
attached Google Compute Engine Persistent Disks (PDs) using keys managed within
Cloud Key Management Service (Cloud KMS).
Rationale:
GCE persistent disks are encrypted at rest by default using envelope encryption with
keys managed by Google. For additional protection, users can manage the Key
Encryption Keys using Cloud KMS.
Impact:
Encryption of dynamically-provisioned attached disks requires the use of the self-
provisioned Compute Engine Persistent Disk CSI Driver v0.5.1 or higher.
If CMEK is being configured with a regional cluster, the cluster must run GKE 1.14 or
higher.
Audit:
Using Google Cloud Console:
Page 106
Default Value:
Persistent disks are encrypted at rest by default, but are not encrypted using Customer-
Managed Encryption Keys by default. By default, the Compute Engine Persistent Disk
CSI Driver is not provisioned within the cluster.
References:
1. https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek
2. https://cloud.google.com/compute/docs/disks/customer-managed-encryption
3. https://cloud.google.com/security/encryption-at-rest/default-encryption/
4. https://cloud.google.com/kubernetes-engine/docs/concepts/persistent-volumes
5. https://cloud.google.com/sdk/gcloud/reference/container/node-pools/create
CIS Controls:
Controls
Control IG 1 IG 2 IG 3
Version
Page 107
Page 108
• Level 2
Description:
Rationale:
The security posture dashboard provides insights about your workload security posture
at the runtime phase of the software delivery life-cycle.
Impact:
GKE security posture configuration auditing checks your workloads against a set of
defined best practices. Each configuration check has its own impact or risk. Learn more
about the checks: https://cloud.google.com/kubernetes-engine/docs/concepts/about-
configuration-scanning
Example: The host namespace check identifies pods that share host namespaces.
Pods that share host namespaces allow Pod processes to communicate with host
processes and gather host information, which could lead to a container escape
Audit:
Check the SecurityPostureConfig on your cluster:
gcloud container clusters --location describe
securityPostureConfig: mode: BASIC
Remediation:
Enable security posture via the UI, gCloud or API. https://cloud.google.com/kubernetes-
engine/docs/how-to/protect-workload-configuration
Default Value:
GKE security posture has multiple features. Not all are on by default. Configuration
auditing is enabled by default for new standard and autopilot clusters.
securityPostureConfig: mode: BASIC
References:
1. https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-
posture-dashboard
Page 109
Controls
Control IG 1 IG 2 IG 3
Version
Page 110
Yes No
3 Worker Nodes
4 Policies
Page 111
Yes No
5 Managed services
Page 112
Yes No
5.2.1 Ensure GKE clusters are not running using the Compute
Engine default service account (Automated)
5.6 Storage
Page 113
Yes No
Page 114
Page 115
Page 116
Page 117
Page 118
Page 119
Page 120
Page 121
Page 122
Page 123
Page 124
Page 125
Page 126