Note: Policies in this directory are kept for older tool versions. New development should be done in gke-policies-v2 folder
Name | Group | Description | CIS Benchmark |
---|---|---|---|
Control Plane redundancy | Availability | GKE cluster should be regional for maximum availability of control plane during upgrades and zonal outages | |
Multi-zone node pools | Availability | GKE node pools should be regional (multiple zones) for maximum nodes availability during zonal outages | |
Use Node Auto-Repair | Availability | GKE node pools should have Node Auto-Repair enabled to configure Kubernetes Engine | CIS GKE 1.4: 5.5.2 |
Cloud Monitoring and Logging | Maintenance | GKE cluster should use Cloud Logging and Monitoring | CIS GKE 1.4: 5.7.1 |
Enable binary authorization in the cluster | Management | GKE cluster should enable for deploy-time security control that ensures only trusted container images are deployed to gain tighter control over your container environment. | CIS GKE 1.4: 5.10.5 |
GKE Autopilot mode | Management | GKE Autopilot mode is the recommended way to operate a GKE cluster | |
GKE VPC-native cluster | Management | GKE cluster nodepool should be VPC-native as per our best-practices | CIS GKE 1.4: 5.6.2 |
Receive updates about new GKE versions | Management | GKE cluster should be proactively receive updates about GKE upgrades and GKE versions | |
Schedule maintenance windows and exclusions | Management | GKE cluster should schedule maintenance windows and exclusions to upgrade predictability and to align updates with off-peak business hours. | |
Use Compute Engine persistent disk CSI driver | Management | Automatic deployment and management of the Compute Engine persistent disk CSI driver. The driver provides support for features like customer managed encryption keys or volume snapshots. | |
Version skew between node pools and control plane | Management | Difference between cluster control plane version and node pools version should be no more than 2 minor versions. | |
GKE ConfigMaps Limit | Scalability | GKE ConfigMaps Limit | |
GKE HPAs Limit | Scalability | GKE HPAs Limit | |
GKE L4 ILB Subsetting | Scalability | GKE cluster should use GKE L4 ILB Subsetting if nodes > 250 | |
GKE Unused HPAs Limit | Scalability | GKE Unused HPAs Limit | |
GKE node local DNS cache | Scalability | GKE cluster should use node local DNS cache | |
Use node pool autoscaling | Scalability | GKE node pools should have autoscaling configured to proper resize nodes according to traffic | |
Control Plane endpoint access | Security | Control Plane endpoint access should be limited to authorized networks only | CIS GKE 1.4: 5.6.3 |
Control Plane endpoint visibility | Security | Control Plane endpoint should be locked from external access | CIS GKE 1.4: 5.6.4 |
Control plane user basic authentication | Security | Disable Basic Authentication (basic auth) for API server authentication as it uses static passwords which need to be rotated. | CIS GKE 1.4: 5.8.1 |
Control plane user certificate authentication | Security | Disable Client Certificates, which require certificate rotation, for authentication. Instead, use another authentication method like OpenID Connect. | CIS GKE 1.4: 5.8.2 |
Enable Customer-Managed Encryption Keys for persistent disks | Security | Use Customer-Managed Encryption Keys (CMEK) to encrypt node boot and dynamically-provisioned attached Google Compute Engine Persistent Disks (PDs) using keys managed within Cloud Key Management Service (Cloud KMS). | CIS GKE 1.4: 5.9.1 |
Enable Security Posture dashboard | Security | The Security Posture feature enables scanning of clusters and running workloads against standards and industry best practices. The dashboard displays the scan results and provides actionable recommendations for concerns. | |
Enable Workload vulnerability scanning | Security | The Workload vulnerability scanning is a set of capabilities in the security posture dashboard that automatically scans for known vulnerabilities in your container images and in specific language packages during the runtime phase of software delivery lifecycle. | |
Enrollment in Release Channels | Security | GKE cluster should be enrolled in release channels | CIS GKE 1.4: 5.5.4 |
Ensure that node pool locations within Node Auto-Provisioning are covering more than one zone (or not enforced at all) | Security | Node Auto-Provisioning configuration should cover more than one zone | |
Ensure that nodes in Node Auto-Provisioning node pools will use Container-Optimized OS | Security | Nodes in Node Auto-Provisioning should use Container-Optimized OS | CIS GKE 1.4: 5.5.1 |
Ensure that nodes in Node Auto-Provisioning node pools will use integrity monitoring | Security | Nodes in Node Auto-Provisioning should use integrity monitoring | CIS GKE 1.4: 5.5.6 |
Forbid default Service Accounts in Node Auto-Provisioning | Security | Node Auto-Provisioning configuration should not allow default Service Accounts | CIS GKE 1.4: 5.2.1 |
Forbid default compute SA on node_pool | Security | GKE node pools should have a dedicated sa with a restricted set of permissions | CIS GKE 1.4: 5.2.1 |
GKE Network Policies engine | Security | GKE cluster should have Network Policies or Dataplane V2 enabled | CIS GKE 1.4: 5.6.7 |
GKE RBAC authorization | Security | GKE cluster should use RBAC instead of legacy ABAC authorization | CIS GKE 1.4: 5.8.4 |
GKE Shielded Nodes | Security | GKE cluster should use shielded nodes | CIS GKE 1.4: 5.5.5 |
GKE Workload Identity | Security | GKE cluster should have Workload Identity enabled | CIS GKE 1.4: 5.2.2 |
GKE intranode visibility | Security | GKE cluster should have intranode visibility enabled | CIS GKE 1.4: 5.6.1 |
GKE private cluster | Security | GKE cluster should be private to ensure network isolation | CIS GKE 1.4: 5.6.5 |
Integrity monitoring on the nodes | Security | GKE node pools should have integrity monitoring feature enabled to detect changes in a VM boot measurements | CIS GKE 1.4: 5.5.6 |
Kubernetes secrets encryption | Security | GKE cluster should use encryption for kubernetes application secrets | CIS GKE 1.4: 5.3.1 |
Secure boot on the nodes | Security | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails | CIS GKE 1.4: 5.5.7 |
Use Container-Optimized OS | Security | GKE node pools should use Container-Optimized OS which is maintained by Google and optimized for running Docker containers with security and efficiency. | CIS GKE 1.4: 5.5.1 |
Use Node Auto-Upgrade | Security | GKE node pools should have Node Auto-Upgrade enabled to configure Kubernetes Engine | CIS GKE 1.4: 5.5.3 |
Use RBAC Google group | Security | GKE cluster should have RBAC security Google group enabled | CIS GKE 1.4: 5.8.3 |