GCP Google Kubernetes Engine Capability Group

By default, GKE nodes use Google's Container-Optimized OS to enhance the security of GKE clusters, including: Locked down firewall, read-only filesystem, limited user accounts, and disabled root login.

By default, GKE nodes use Google's Container-Optimized OS to enhance the security of GKE clusters, including: Read-only filesystem, limited user accounts, and disabled root login.

GKE provides the ability to audit against a Center for Internet Security (CIS) Benchmark which is a set of recommendations for configuring Kubernetes to support a strong security posture. The Benchmark is tied to a specific Kubernetes release.

Kubernetes role-based access control (RBAC), uses granular permissions to control access to resources within projects and objects within Kubernetes clusters.

GKE provides the ability to audit against a set of recommended benchmark [Center for Internet Security (CIS)]. This control may avoid privileged containers and running containers as root.

This control may provide provide information about vulnerabilities within container images, such as the risk from remote management of a deployed container. With the right permissions, an adversary could escalate to remote code execution in the Kubernetes cluster.

After scanning for vulnerabilities, this control may alert personnel of tampered container images that could be running in a Kubernetes cluster.