Cloudanix home page

Login
Community
Login

GCP Misconfigurations

Kubernetes Audit

GCP Introduction

Authenticating your GCP account

GCP Pricing

GCP Services which determine your cost

GCP Threats

Getting Started with gcp Realtime Events

GCP Misconfigurations

Getting Started with GCP Audit
CloudSql Audit
Cloud Tasks Monitoring
Dataflow Monitoring
Function Monitoring
Monitoring Compliance
PubSubLite Monitoring
Spanner Monitoring
NoSQL Monitoring
Compute Audit
IAM Audit
BigQuery Monitoring
CDN Monitoring
DNS Monitoring
KMS Monitoring
Kubernetes Audit
Load Balancer Monitoring
Log Monitoring
Storage Audit
Pub/Sub Monitoring
VPC Audit
IAM Deep Dive

Resources

GCP Services which determine your cost

GCP Threats

Getting Started with gcp Realtime Events

GCP Misconfigurations

Kubernetes Audit

Checks performed

Web Dashboard Should Be Disabled
Private Endpoints Should Be Enabled
Private Cluster Should Be Enabled
Pod Security Policy Should Be Enabled
Network Policy Should Be Enabled
Monitoring Should Be Enabled
Master Authorized Network Should Be Enabled
Logging Should Be Enabled
Legacy Authorization Should Be Disabled
Default Service Accounts Should Not Be Used
Container-Optimized OS Should Be Enabled
Cluster Should Have Limited Service Account Access
Basic Authentication Should Be Disabled
Automatic Node Upgrades Should Be Enabled
Automatic Node Repair Should Be Enabled
Alias IP Ranges Should Be Enabled
Kubernetes Node Pool Autoscaling Should Be Enabled
Kubernetes Boot Disk Should Be Encrypted With Customer Managed Keys
Integrity Monitoring Should Be Enabled For Kubernetes Node Pools
Secure Boot Should Be Enabled For Kubernetes Node Pools
Shielded Nodes Should Be Used For Kubernetes Cluster
Autoscaling Profile For Clusters Should Be Set To Optimize_Utilization or Balanced
Cluster Master Endpoint Should Not Be Global
Latest Kubernetes Version Should Be Used
Client Certificate Authentication Should Not Be Used For Users
Ensure Image Vulnerability Scanning Is Performed
Minimize Cluster Access To Read-Only For GCR
Minimize Container Registries To Only Approved Ones
Ensure GKE Clusters Are Not Using Default Service Account
Use Dedicated GCP Service Accounts And Workload Identity For Clusters
Ensure Kubernetes Secrets Are Encrypted Using KMS Keys
Ensure Legacy Compute Engine Instance Metadata APIs Are Disabled
Ensure The GKE Metadata Server Is Enabled
Ensure Clusters Use Stable Release Channels
Ensure Integrity Monitoring For Shielded GKE Nodes Is Enabled
Enable VPC Flow Logs And Intranode Visibility
Ensure Use Of VPC-Native Clusters
Ensure Stackdriver Kubernetes Logging And Monitoring Is Enabled
Ensure Authentication Using Client Certificates Is Disabled
Manage Kubernetes RBAC Users With Google Groups
Ensure Kubernetes Web UI Is Disabled
Ensure Alpha Clusters Are Not Used For Production
Consider GKE Sandbox For Running Untrusted Workloads
Ensure Use Of Binary Authorization
Schedule Maintenance Windows And Exclusions
Upgrades And Updates Should Be Enabled
Control Plane Endpoint Access Should Be Limited To Authorized Networks
Enable Regional Redundancy For Maximum Availability
For Large Clusters L4 ILB Subsetting Should Be Used
Clusters Should Have Network Policies Or Dataplane V2 Enabled
Cluster Should Use Node Local DNS Cache
Node Pools Should Be Regional For High Availability
Workload Identity Should Be Enabled

KMS Monitoring Load Balancer Monitoring

Powered by Mintlify

On this page

Checks performed