Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - GKE 1.0 > Control Plane Components >

API Server

N/A
Source
Kube Bench
ID
1.2
Version
gke-1.0

1.2 API Server

1.2.1 Ensure that the –anonymous-auth argument is set to false (Not Scored)

This control cannot be modified in GKE.

1.2.2 Ensure that the –basic-auth-file argument is not set (Not Scored)

Although the use of the –basic-auth-file argument cannot be audited on GKE, you can remediate the use of basic authentication. See Recommendation 6.8.1.

1.2.3 Ensure that the –token-auth-file parameter is not set (Not Scored)

This control cannot be modified in GKE.

1.2.4 Ensure that the –kubelet-https argument is set to true (Not Scored)

This control cannot be modified in GKE.

1.2.5 Ensure that the –kubelet-client-certificate and –kubelet-client-key arguments are set as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.6 Ensure that the –kubelet-certificate-authority argument is set as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.7 Ensure that the –authorization-mode argument is not set to AlwaysAllow (Not Scored)

This control cannot be modified in GKE.

1.2.8 Ensure that the –authorization-mode argument includes Node (Not Scored)

This control cannot be modified in GKE.

1.2.9 Ensure that the –authorization-mode argument includes RBAC (Not Scored)

This control cannot be modified in GKE.

1.2.10 Ensure that the admission control plugin EventRateLimit is set (Not Scored)

This control cannot be modified in GKE.

1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Not Scored)

This control cannot be modified in GKE.

1.2.12 Ensure that the admission control plugin AlwaysPullImages is set (Not Scored)

This control cannot be modified in GKE.

1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Not Scored)

This control cannot be modified in GKE.

1.2.14 Ensure that the admission control plugin ServiceAccount is set (Not Scored)

This control cannot be modified in GKE.

1.2.15 Ensure that the admission control plugin NamespaceLifecycle is set (Not Scored)

This control cannot be modified in GKE.

1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Not Scored)

To verify and remediate the use of Pod Security Policy on GKE, see Recommendation 6.10.3.

1.2.17 Ensure that the admission control plugin NodeRestriction is set (Not Scored)

This control cannot be modified in GKE.

1.2.18 Ensure that the –insecure-bind-address argument is not set (Not Scored)

This control cannot be modified in GKE.

1.2.19 Ensure that the –insecure-port argument is set to 0 (Not Scored)

This control cannot be modified in GKE.

1.2.20 Ensure that the –secure-port argument is not set to 0 (Not Scored)

This control cannot be modified in GKE.

1.2.21 Ensure that the –profiling argument is set to false (Not Scored)

This control cannot be modified in GKE.

1.2.22 Ensure that the –audit-log-path argument is set (Not Scored)

This control cannot be modified in GKE.

1.2.23 Ensure that the –audit-log-maxage argument is set to 30 or as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.24 Ensure that the –audit-log-maxbackup argument is set to 10 or as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.25 Ensure that the –audit-log-maxsize argument is set to 100 or as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.26 Ensure that the –request-timeout argument is set as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.27 Ensure that the –service-account-lookup argument is set to true (Not Scored)

This control cannot be modified in GKE.

1.2.28 Ensure that the –service-account-key-file argument is set as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.29 Ensure that the –etcd-certfile and –etcd-keyfile arguments are set as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.30 Ensure that the –tls-cert-file and –tls-private-key-file arguments are set as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.31 Ensure that the –client-ca-file argument is set as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.32 Ensure that the –etcd-cafile argument is set as appropriate (Not Scored)

This control cannot be modified in GKE.

1.2.33 Ensure that the –encryption-provider-config argument is set as appropriate (Not Scored)

To verify and remediate the use of secret encryption on GKE, see Recommendation 6.3.1.

1.2.34 Ensure that encryption providers are appropriately configured (Not Scored)

To verify and remediate the use of secret encryption on GKE, see Recommendation 6.3.1.

1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Not Scored)

This control cannot be modified in GKE.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use