Cloudanix home page

Community
Login
Login

GCP Introduction

Authenticating your GCP account

GCP Pricing

GCP Services which determine your cost

GCP Threats

Getting Started with gcp Realtime Events

GCP Misconfigurations

Getting Started with GCP Audit
CloudSql Audit
Cloud Tasks Monitoring
Dataflow Monitoring
Function Monitoring
Monitoring Compliance
PubSubLite Monitoring
Spanner Monitoring
NoSQL Monitoring
Compute Audit
IAM Audit
BigQuery Monitoring
CDN Monitoring
DNS Monitoring
KMS Monitoring
Kubernetes Audit
Load Balancer Monitoring
Log Monitoring
Storage Audit
Pub/Sub Monitoring
VPC Audit
IAM Deep Dive

Resources

GCP Services which determine your cost

GCP Threats

Getting Started with gcp Realtime Events

On this page

Checks performed

Kubernetes Misconfig for GCP

Checks performed

Client Certificate Authentication Should Not Be Used For Users
Ensure Minimal Audit Policy Is Created
Ensure That The Audit Policy Covers Key Security Concerns
Ensure Proxy Kubeconfig File Permissions Are Restrictive
Ensure Proxy Kubeconfig File Ownership Is Root
Ensure Kubelet Configuration File Permissions Restrictive
Ensure Kubelet Configuration File Ownership Is Set To Root
Ensure Anonymous Auth Argument Is Disabled
Ensure Authorization Mode Argument Is Not Set Always Allow
Ensure Client Ca File Argument Is Set As Appropriate
Ensure Read Only Port Argument Is Set 0
Ensure Streaming Connection Idle Timeout Argument Is Not Set 0
Ensure Protect Kernel Defaults Argument Is Enabled
Ensure Make Iptables Util Chains Argument Is Set True
Ensure Hostname Override Argument Is Not Set
Ensure Event Qps Argument Set 0 Or Level Which Ensures Appropriate Event Capture
Ensure Tls Cert File And Tls Private Key File Arguments Are Set Appropriate
Ensure Rotate Certificates Argument Is Not Set False
Ensure Rotate Kubelet Server Certificate Argument Is Set True
Ensure That The Cluster Admin Role Is Only Used Where Required
Minimize Access Secrets
Minimize Wildcard Use In Roles And Cluster Roles
Minimize Access Create Pods
Ensure Default Service Accounts Are Not Actively Used
Ensure Service Account Tokens Are Only Mounted Where Necessary
Minimize The Admission Privileged Containers
Minimize Admission Containers Wishing Share The Host Process Id Namespace
Minimize The Admission Containers Wishing Share The Host Ipc Namespace
Minimize The Admission Containers Wishing Share The Host Network Namespace
Minimize The Admission Containers With Allow Privilege Escalation
Minimize The Admission Of Root Containers
Minimize The Admission Of Containers With The Net_Raw Capability
Minimize The Admission Of Containers With Added Capabilities
Minimize The Admission Of Containers With Capabilities Assigned
Ensure That The Cni In Use Supports Network Policies
Ensure All Namespaces Have Network Policies Defined
Prefer Secrets Files Over Secrets As Environment Variables
Consider External Secret Storage
Configure Image Provenance Image Policy Webhook Admission Controller
Create Administrative Boundaries Between Resources Using Namespaces
Ensure Seccomp Profile Is Set Docker/Default In Your Pod Definitions
Apply Security Context To Your Pods And Containers
The Default Namespace Should Not Be Used
Ensure Image Vulnerability Scanning Using Gcr Container Analysis Or A Third Party Provider
Minimize User Access To Gcr
Minimize Cluster Access To Read-Only For Gcr
Minimize Container Registries To Only Those Approved
Ensure Gke Clusters Are Not Running Using The Compute Engine Default Service Account
Prefer Using Dedicated Gcp Service Accounts And Workload Identity
Ensure Kubernetes Secrets Are Encrypted Using Keys Managed In Cloud Kms
Ensure Legacy Compute Engine Instance Metadata Apis Are Disabled
Ensure The Gke Metadata Server Is Enabled
Ensure Container-Optimized Os (Cos) Is Used For Gke Node Images
Ensure Node Auto-Repair Is Enabled For Gke Nodes
Ensure Node Auto-Upgrade Is Enabled For Gke Nodes
When Creating New Clusters - Automate Gke Version Management Using Release Channels
Ensure Shielded Gke Nodes Are Enabled
Ensure Integrity Monitoring For Shielded Gke Nodes Is Enabled
Ensure Secure Boot For Shielded Gke Nodes Is Enabled
Enable Vpc Flow Logs And Intranode Visibility
Ensure Use Of Vpc-Native Clusters
Ensure Master Authorized Networks Is Enabled
Ensure Clusters Are Created With Private Endpoint Enabled And Public Access Disabled
Ensure Clusters Are Created With Private Nodes
Consider Firewalling Gke Worker Nodes
Ensure Network Policy Is Enabled And Set As Appropriate
Ensure Use Google Managed Ssl Certificates
Ensure Stackdriver Kubernetes Logging And Monitoring Is Enabled
Enable Linux Audit Logging
Ensure Basic Authentication Using Static Passwords Is Disabled
Ensure Authentication Using Client Certificates Is Disabled
Manage Kubernetes Rbac Users With Google Groups For Gke
Ensure Legacy Authorization (Abac) Disabled
Enable Customer-Managed Encryption Keys (Cmek) For Gke Persistent Disks
Ensure Kubernetes Web Ui Is Disabled
Ensure That Alpha Clusters Are Not Used For Production Workloads
Ensure Pod Security Policy Is Enabled And Set As Appropriate
Consider Gke Sandbox For Running Untrusted Workloads
Ensure Use Of Binary Authorization
Enable Cloud Security Command Center

Powered by Mintlify

Assistant

Responses are generated using AI and may contain mistakes.