Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - GKE 1.2.0 > Managed Services >

Other Cluster Configurations

N/A
Source
Kube Bench
ID
5.1
Version
gke-1.2.0

5.10 Other Cluster Configurations

5.10.1 Ensure Kubernetes Web UI is Disabled (Automated)

Using Command Line: To disable the Kubernetes Dashboard on an existing cluster, run the following command:

gcloud container clusters update [CLUSTER_NAME] \
  --zone [ZONE] \
  --update-addons=KubernetesDashboard=DISABLED

5.10.2 Ensure that Alpha clusters are not used for production workloads (Automated)

Using Command Line: Upon creating a new cluster

gcloud container clusters create [CLUSTER_NAME] \
  --zone [COMPUTE_ZONE]

Do not use the –enable-kubernetes-alpha argument.

5.10.3 Ensure Pod Security Policy is Enabled and set as appropriate (Manual)

Using Command Line: To enable Pod Security Policy for an existing cluster, run the following command:

gcloud beta container clusters update [CLUSTER_NAME] \
  --zone [COMPUTE_ZONE] \
  --enable-pod-security-policy

5.10.4 Consider GKE Sandbox for running untrusted workloads (Manual)

Using Command Line: To enable GKE Sandbox on an existing cluster, a new Node pool must be created.

gcloud container node-pools create [NODE_POOL_NAME] \
  --zone=[COMPUTE-ZONE] \
  --cluster=[CLUSTER_NAME] \
  --image-type=cos_containerd \
  --sandbox type=gvisor

5.10.5 Ensure use of Binary Authorization (Automated)

Using Command Line: Firstly, update the cluster to enable Binary Authorization:

gcloud container cluster update [CLUSTER_NAME] \
  --zone [COMPUTE-ZONE] \
  --enable-binauthz

Create a Binary Authorization Policy using the Binary Authorization Policy Reference (https://cloud.google.com/binary-authorization/docs/policy-yaml-reference) for guidance.

Import the policy file into Binary Authorization:

gcloud container binauthz policy import [YAML_POLICY]

5.10.6 Enable Cloud Security Command Center (Cloud SCC) (Manual)

Using Command Line: Follow the instructions at https://cloud.google.com/security-command- center/docs/quickstart-scc-setup.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use