• GCP GKE

Monitor your GCP Kubernetes configuration for best practices.

Security

Dashboard Disabled
Ensures all Kubernetes clusters have the web dashboard disabled. It is recommended to disable the web dashboard because it is backed by a highly privileged service account.

Private Endpoint
Ensures the private endpoint setting is enabled for kubernetes clusters. Kubernetes private endpoints can be used to route all traffic between the Kubernetes worker and control plane nodes over a private VPC endpoint rather than across the public internet.

Private Cluster Enabled
Ensures private cluster is enabled for all Kubernetes clusters. Kubernetes private clusters only have internal ip ranges, which ensures that their workloads are isolated from the public internet.

Pod Security Policy Enabled
Ensures pod security policy is enabled for all Kubernetes clusters. Kubernetes pod security policy is a resource that controls security sensitive aspects of the pod configuration.

Network Policy Enabled
Ensures all Kubernetes clusters have network policy enabled. Kubernetes network policy creates isolation between cluster pods, this creates a more secure environment with only specified connections allowed.

Monitoring Enabled
Ensures all Kubernetes clusters have monitoring enabled.

Master Authorized Network
Ensures master authorized networks is set to enabled on Kubernetes clusters

Logging Enabled
Ensures all Kubernetes clusters have logging enabled. This setting should be enabled to ensure Kubernetes control plane logs are properly recorded.

Legacy Authorization Disabled
Ensure legacy authorization is set to disabled on Kubernetes clusters. The legacy authorizer in Kubernetes grants broad, statically defined permissions.

Default Service Account
Ensure Kubernetes cluster nodes do use the default service account. Kubernetes cluster nodes should use customized service accounts that have minimal privileges to run. This reduces the attack surface in the case of a malicious attack on the cluster.

COS Image Enabled
Ensures all Kubernetes cluster nodes have Container-Optimized OS enabled. Container-Optimized OS is optimized to enhance node security. It is backed by a team at Google that can quickly patch it.

Cluster Least Privilege
Ensures Kubernetes clusters are created with limited service account access scopes. Kubernetes service accounts should be limited in scope to the services necessary to operate the clusters.

Basic Authentication Disabled
Ensure basic authentication is set to disabled on Kubernetes clusters.

Automatic Node Upgrades Enabled
Ensures all Kubernetes cluster nodes have automatic upgrades enabled. Enabling automatic upgrades on nodes ensures that each node stays current with the latest version of the master branch, also ensuring that the latest security patches are installed to provide the most secure environment.

Automatic Node Repair Enabled
Ensures all Kubernetes cluster nodes have automatic repair enabled. When automatic repair on nodes is enabled, the Kubernetes engine performs health checks on all nodes, automatically repairing nodes that fail health checks. This ensures that the Kubernetes environment stays optimal.

Alias IP Ranges Enabled
Ensures all Kubernetes clusters have alias IP ranges enabled. Alias IP ranges allow users to assign ranges of internal IP addresses as alias to a network interface.

Sources

https://www.cloudanix.com/recipelist/gcp/gcpkubemonitoring
https://cloud.google.com/kubernetes-engine/docs/concepts/dashboards
https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters
https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies
https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy
https://cloud.google.com/monitoring/kubernetes-engine/
https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks
https://cloud.google.com/monitoring/kubernetes-engine/legacy-stackdriver/logging
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster
https://cloud.google.com/container-optimized-os/
https://cloud.google.com/container-optimized-os/
https://cloud.google.com/compute/docs/access/service-accounts
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster
https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-upgrades
https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair
https://cloud.google.com/monitoring/kubernetes-engine/

Help Us Improve!

If you have any suggestions to improve this checklist, please let us know by filling out this form.