Benchmark: Kubernetes
Description
This section contains recommendations for configuring Kubernetes resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-gcp-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select Kubernetes.
Run this benchmark in your terminal:
powerpipe benchmark run gcp_compliance.benchmark.all_controls_kubernetesSnapshot and share results via Turbot Pipes:
powerpipe benchmark run gcp_compliance.benchmark.all_controls_kubernetes --shareControls
- Verify all GKE clusters are Private Clusters
- Ensure Kubernetes web UI/Dashboard is disabled
- Ensure default Service account is not used for Project access in Kubernetes Engine clusters
- Ensure Legacy Authorization is set to Disabled on Kubernetes Engine Clusters
- Check that legacy metadata endpoints are disabled on Kubernetes clusters(disabled by default since GKE 1.12+)
- Ensure Kubernetes Cluster is created with Alias IP ranges enabled
- Ensure automatic node repair is enabled on all node pools in a GKE cluster
- Ensure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodes
- Ensure Master authorized networks is set to Enabled on Kubernetes Engine Clusters
- Ensure Container-Optimized OS (cos) is used for Kubernetes engine clusters
- Check that GKE clusters have a Network Policy installed
- GKE clusters binary authorization should be enabled
- GKE clusters client certificate authentication should be enabled
- GKE clusters should have database encryption enabled
- GKE clusters HTTP load balancing should be enabled
- GKE clusters should not allow incoming traffic from all sources across the internet
- GKE clusters intra node visibility should be enabled
- GKE clusters kubernetes alpha should be enabled
- GKE clusters logging should be enabled
- GKE clusters monitoring should be enabled
- GKE clusters network policy should be enabled
- GKE clusters should not use default network
- GKE clusters nodes should not use default service account
- GKE clusters private nodes should be configured
- GKE clusters release channel should be configured
- GKE clusters shielded nodes integrity monitoring should be enabled
- GKE clusters shielded node secure boot should be enabled
- GKE clusters should have shielded nodes enabled
- Ensure Private Google Access is enabled for all subnetworks in kubernetes cluster
- GKE clusters with less than three nodes should have auto upgrade enabled
- GKE clusters should have resource labels
- GKE clusters release should be zone redundant