GCP Google Kubernetes Engine Practices

Best practice rules for GCP Google Kubernetes Engine Service

• Access Secrets Stored Outside GKE Clusters

  Ensure that Google Kubernetes Engine (GKE) clusters can access Secret Manager secrets.

• Automate Cluster Version Upgrades using Release Channels

  Automate version management for your Google Kubernetes Engine (GKE) clusters using Release Channels.

• Check for Alpha Clusters in Production

  Ensure that Alpha GKE clusters are not used for production workloads.

• Detect GCP GKE Configuration Changes

  GKE configuration changes have been detected within your Google Cloud Platform (GCP) account.

• Disable Client Certificates

  Ensure that authentication using client certificates is disabled.

• Disable Kubernetes Dashboard for GKE Clusters

  Ensure that Kubernetes Dashboard is disabled for GKE clusters.

• Disable Legacy Authorization

  Disable legacy authorization for Google Kubernetes Engine (GKE) clusters.

• Enable Auto-Repair for GKE Cluster Nodes

  Ensure that your Google Kubernetes Engine (GKE) clusters are using auto-repairing nodes.

• Enable Auto-Upgrade for GKE Cluster Nodes

  Ensure that your Google Kubernetes Engine (GKE) cluster nodes are using automatic upgrades.

• Enable Binary Authorization

  Ensure that Binary Authorization is enabled for Google Kubernetes Engine (GKE) clusters.

• Enable Cluster Backups

  Enable and configure backups for Google Kubernetes Engine (GKE) clusters.

• Enable Cost Allocation

  Enable cost allocation for Google Kubernetes Engine (GKE) clusters.

• Enable Critical Notifications

  Enable critical notifications for Google Kubernetes Engine (GKE) clusters.

• Enable Encryption for Application-Layer Secrets for GKE Clusters

  Ensure that encryption of Kubernetes secrets using Customer-Managed Keys is enabled for GKE clusters.

• Enable GKE Cluster Node Encryption with Customer-Managed Encryption Keys

  Ensure that boot disk encryption with Customer-Managed Encryption Keys is enabled for GKE cluster nodes.

• Enable GKE Metadata Server

  Enable the GKE Metadata Server feature for Google Kubernetes Engine (GKE) clusters.

• Enable Integrity Monitoring for Cluster Nodes

  Ensure that Integrity Monitoring is enabled for your Google Kubernetes Engine (GKE) cluster nodes.

• Enable Inter-Node Transparent Encryption

  Ensure that inter-node transparent encryption is enabled for Google Kubernetes Engine (GKE) clusters.

• Enable Intranode Visibility

  Enable the Intranode Visibility feature for Google Kubernetes Engine (GKE) clusters.

• Enable Private Nodes

  Enable private nodes for Google Kubernetes Engine (GKE) clusters.

• Enable Secure Boot for Cluster Nodes

  Ensure that Secure Boot is enabled for your Google Kubernetes Engine (GKE) cluster nodes.

• Enable VPC-Native Traffic Routing

  Enable VPC-native traffic routing for Google Kubernetes Engine (GKE) clusters.

• Enable Workload Identity Federation

  Enable Workload Identity Federation for Google Kubernetes Engine (GKE) clusters.

• Enable Workload Vulnerability Scanning

  Enable workload vulnerability scanning for Google Kubernetes Engine (GKE) clusters.

• Enable and Configure Cluster Logging

  Enable and configure logging for Google Kubernetes Engine (GKE) clusters.

• Enable and Configure Cluster Monitoring

  Enable and configure Cloud Monitoring for Google Kubernetes Engine (GKE) clusters.

• Enable and Configure Security Posture

  Enable the Security Posture dashboard for Google Kubernetes Engine (GKE) clusters.

• Prevent Default Service Account Usage

  Ensure that GKE clusters are not configured to use the default service account.

• Restrict Network Access

  Ensure that Google Kubernetes Engine (GKE) cluster control plane is not exposed to the Internet.

• Use Confidential GKE Cluster Nodes

  Enable confidential GKE nodes for Google Kubernetes Engine (GKE) clusters.

• Use Container-Optimized OS for GKE Clusters Nodes

  Enable Container-Optimized OS for Google Kubernetes Engine (GKE) cluster nodes.

• Use GKE Clusters with Private Endpoints Only

  Ensure that Google Kubernetes Engine (GKE) clusters are using private endpoints only for control plane access.

• Use Labels for Resource Management

  Ensure that all Google Kubernetes Engine (GKE) clusters are labeled for better resource management.

• Use Sandbox with gVisor for GKE Clusters Nodes

  Enable GKE Sandbox with gVisor to protect from untrusted workloads.

• Use Shielded GKE Cluster Nodes

  Ensure that your GKE clusters nodes are shielded to protect against impersonation attacks.