Google Kubernetes Engine (GKE) provides the ability to secure containers across many layers of the stack, to include container images, container runtime, cluster network, and access to cluster API.
| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| google_kubernetes_engine | Google Kubernetes Engine | protect | partial | T1613 | Container and Resource Discovery |
Comments
By default, GKE nodes use Google's Container-Optimized OS to enhance the security of GKE clusters, including: Locked down firewall, read-only filesystem, limited user accounts, and disabled root login.
References
|
| google_kubernetes_engine | Google Kubernetes Engine | protect | partial | T1611 | Escape to Host |
Comments
By default, GKE nodes use Google's Container-Optimized OS to enhance the security of GKE clusters, including: Read-only filesystem, limited user accounts, and disabled root login.
References
|
| google_kubernetes_engine | Google Kubernetes Engine | detect | partial | T1611 | Escape to Host |
Comments
GKE provides the ability to audit against a Center for Internet Security (CIS) Benchmark which is a set of recommendations for configuring Kubernetes to support a strong security posture. The Benchmark is tied to a specific Kubernetes release.
References
|
| google_kubernetes_engine | Google Kubernetes Engine | protect | partial | T1610 | Deploy Container |
Comments
Kubernetes role-based access control (RBAC), uses granular permissions to control access to resources within projects and objects within Kubernetes clusters.
References
|
| google_kubernetes_engine | Google Kubernetes Engine | protect | partial | T1053.007 | Container Orchestration Job |
Comments
GKE provides the ability to audit against a set of recommended benchmark [Center for Internet Security (CIS)]. This control may avoid privileged containers and running containers as root.
References
|
| google_kubernetes_engine | Google Kubernetes Engine | protect | partial | T1609 | Container Administration Command |
Comments
This control may provide provide information about vulnerabilities within container images, such as the risk from remote management of a deployed container. With the right permissions, an adversary could escalate to remote code execution in the Kubernetes cluster.
References
|
| google_kubernetes_engine | Google Kubernetes Engine | detect | partial | T1525 | Implant Internal Image |
Comments
After scanning for vulnerabilities, this control may alert personnel of tampered container images that could be running in a Kubernetes cluster.
References
|