- Automate CIS Benchmarking
- kube-bench
- GKE Enterprise Config Management with CIS benchmark policies
- Google Groups for RBAC
- Run nodes with least privilege SA—avoid Compute Engine default service account
roles/monitoring.viewerroles/monitoring.metricWriterroles/logging.logWriterroles/stackdriver.resourceMetadata.write
- Use Workload Identity to access Google Cloud APIs—don’t use underlying node service account
- Enable private access only on control plane API
- Create a private cluster (no external IP addresses)—use bastion host for access
- Use Container-Optimized OS for nodes images—hardened OS
- Use shielded GKE nodes—protects against node impersonation
- Enable GKE sandbox—protects against privilege escalation and unstrusted code from affecting the host kernel
- Enforce network policies—ensure prod Pods can only communicate with allowed resources
- Ensure audit logging is enabled—export logs to BigQuery
- Enable Binary Authorization—allow trusted container images only
- Enable container image vulnerability scanning
- Use GKE autopilot if possible—includes hardened setup by default
References