Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks below:

CIS Benchmarks | GKE Documentation

Stay organized with collections Save and categorize content based on your preferences.

This page describes the approach that Google Kubernetes Engine (GKE) takes to improve compliance with the Center for Internet Security (CIS) benchmarks for Kubernetes and for GKE. This page includes the following information:

• How we configure the managed GKE control plane to conform to the CIS Kubernetes Benchmark
• How you can configure your GKE nodes and workloads to conform to the CIS Google Kubernetes Engine (GKE) Benchmark

CIS releases the following benchmarks that contain secure configuration guidelines for Kubernetes:

• CIS Kubernetes Benchmark: Applies to the open source Kubernetes project. Intended to provide guidance for a variety of self-managed and hosted Kubernetes implementations.
• CIS GKE Benchmark: Establishes guidelines for the secure configuration of components you can control in GKE clusters. Includes recommendations that are specific to GKE on Google Cloud.

We recommend that you prioritize the CIS GKE Benchmark, because it is specific to GKE on Google Cloud. The CIS Kubernetes Benchmark contains many recommendations for controls that you can't view or modify in GKE. Our approach to cluster security includes mitigations that go beyond the scope of the open source Kubernetes benchmark and might result in conflicts with those recommendations.

In addition to the CIS GKE Benchmark and the CIS Kubernetes Benchmark, the following benchmarks apply to the operating systems that are available in GKE. Even if a specific OS benchmark doesn't explicitly address Kubernetes usage, you should still reference that benchmark for additional security guidance.

• Container-Optimized OS Benchmark: the default operating system that's installed on all GKE Linux nodes
• Ubuntu Linux Benchmark: available for GKE Standard
• Windows Server Benchmark: available for GKE Standard

The default container runtime, containerd, doesn't have a benchmark.

Based on the GKE shared responsibility model, we manage the following components for you:

• The control plane, including the control plane VMs, API server, and components like the cluster state database (etcd or Spanner-based), kube-controller-manager, and kube-scheduler.
• The node operating system.

These components exist in a project that GKE owns, so you can't modify or evaluate any of these components against corresponding CIS Benchmark controls. You can, however, evaluate and remediate any CIS Benchmark controls that apply to your worker nodes and your workloads. Based on the GKE shared responsibility model, these components are your responsibility.

GKE is a managed implementation of open source Kubernetes. We fully manage the control plane and are responsible for securing the configuration of control plane components. The following table describes some of our decisions that might affect scoring of the CIS benchmarks:

• Some GKE monitoring components use anonymous authentication to obtain metrics.
• Some control plane components are bootstrapped using static tokens, which are then used to authenticate to the API server. These tokens are generated every time a VM starts or restarts.

GKE disables the following admission controllers:

• EventRateLimit: This is an alpha feature in Kubernetes
• AlwaysPullImages: This controller provides some protection for private registry images in noncooperative multitenant clusters, at the cost of making image registries a single point of failure for creating new Pods in the cluster.
• SecurityContextDeny: The Pod Security Admission controller is preferred and is available in all GKE editions. If you use GKE Enterprise, you can also enable enforcement of the Pod Security Standards by using Policy Controller.
• ImagePolicyWebhook: GKE disables ImagePolicyWebhook by default because it has its own mechanisms for image management and security. This lets GKE maintain stricter control over the environment and ensure that its security practices are consistently applied. However, you can use Binary Authorization or Policy Controller for policy management.

• GKE encrypts customer content at rest by default. You can optionally use a key that you manage to encrypt your data. For details, see Encrypt secrets at the application layer.
• GKE uses mTLS for traffic between control plane components and between the control plane and nodes. For details, see Cluster trust.

In open source Kubernetes, the cluster state database uses etcd. In GKE, the backend database that stores the cluster's state is one of the following technologies:

• etcd: the cluster runs etcd instances on the control plane.
• Spanner: GKE stores the cluster state in a Spanner-based database that's separate from the control plane VMs.

All GKE clusters serve the etcd API in control plane VMs. Any client interactions with Kubernetes API are the same as in open source Kubernetes. Depending on the database technology that's the backend for the etcd API in your cluster, you might notice discrepancies in any etcd-related scoring in the open source CIS Kubernetes Benchmark.

• GKE enables the unauthenticated kubelet read-only port. You can disable the port by setting --no-autoprovisioning-enable-insecure-kubelet-readonly-port. The read-only port will be disabled by default in a future release after allowing you some time to migrate.
• GKE Standard mode lets your workloads modify kernel defaults if needed.
• GKE limits the number of Kubernetes events in the kubelet to reduce the risk of denial-of-service attacks.
• GKE uses mTLS to secure traffic between the kubelet and the API server.
• GKE rotates server certificates by default, and rotates client certificates when Shielded GKE Nodes is enabled.
• GKE uses the golang default allowed cipher set, which is also the default for Kubernetes.

You can automate evaluation of your clusters against the Benchmarks by using one of the following methods:

• CIS GKE Benchmark:

  • All GKE editions:
    • Run kube-bench to evaluate worker nodes against the Benchmark. For details, see the kube-bench GitHub repository.
    • Use a third-party tool like Twistlock Defender to evaluate nodes against the Benchmark.
  • GKE Enterprise edition: use the Compliance dashboard to evaluate all of your clusters for compliance with the CIS GKE Benchmark. For details, see About the GKE Compliance Dashboard.

• CIS Kubernetes Benchmark: Run kube-bench to evaluate worker nodes against the Benchmark. You can't evaluate the managed control plane against those recommendations in the Benchmark.

• Read the GKE security overview.
• Follow security best practices in the GKE hardening guide.
• Learn about monitoring your clusters for security issues with GKE security posture.
• Learn how to evaluate your clusters for compliance issues in the GKE compliance dashboard for GKE Enterprise.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-12 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-12 UTC."],[],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4