GKE Autopilot CIS Benchmark Tool

Identity & Access Management

Configure Workload Identity, service accounts, and RBAC policies

Enable Workload Identity Use Workload Identity to access Google Cloud services securely

Minimize Service Account Privileges Use least-privilege service accounts for workloads

Enable RBAC Configure Role-Based Access Control for cluster resources

Restrict Master Authorized Networks Limit access to Kubernetes API server

Enable Binary Authorization Verify container image signatures before deployment

Protect GKE Metadata Server Configure metadata concealment and Network Policy

Logging & Monitoring

Enable comprehensive logging and monitoring for audit and security

Enable Cloud Audit Logs Track API calls and admin activities

Enable Cluster Logging Collect logs from system components and workloads

Enable Cloud Monitoring Monitor cluster and workload metrics

Enable Security Posture Management Continuous security vulnerability scanning

Enable Threat Detection Real-time security threat detection and alerting

Network Security

Implement network isolation, policies, and private clusters

Enable Private Cluster Use private IP addresses for nodes

Enable Private Endpoint Make Kubernetes API accessible only via private network

Enable Network Policy Control traffic between pods using network policies

Use VPC-Native Cluster Enable alias IP ranges for better network performance

Enable GKE Dataplane V2 Use eBPF-based dataplane for better network security

Enable Pod Security Standards Enforce pod-level security policies

Default Deny Egress Policy Restrict outbound traffic by default

Configure VPC Firewall Rules Restrict network access using firewall rules

Workload Security

Secure container workloads with admission control and sandboxing

Enable GKE Sandbox (gVisor) Add an additional layer of isolation for containers

Enable Shielded GKE Nodes Protect against rootkits and bootkits

Configure Admission Controllers Validate and mutate resource requests

Enforce Security Contexts Set pod and container security constraints

Enable Vulnerability Scanning Automatically scan container images for vulnerabilities

Set Resource Limits Define CPU and memory limits for containers

Data Protection

Secure secrets, enable encryption, and protect sensitive data

Enable Application-Layer Secrets Encryption Encrypt secrets at application layer using KMS

Enable Boot Disk Encryption Encrypt node boot disks using customer-managed keys

Use Secret Manager Store secrets in Google Secret Manager instead of etcd

Restrict Metadata Access Prevent pods from accessing sensitive metadata

Configure Backup Solutions Set up automated backups for cluster data

Cluster Configuration

Configure cluster-level security settings and policies

Enable Auto-Upgrade Automatically upgrade to latest patch versions

Enable Auto-Repair Automatically repair unhealthy nodes

Configure Maintenance Windows Define maintenance windows for upgrades

Configure Surge Upgrades Control node upgrade surge settings

Configure Release Channel Select appropriate GKE release channel

Apply Resource Labels Tag resources for organization and billing

Use Container-Optimized OS Use hardened Container-Optimized OS for nodes

GKE AutoPilot Security Hardening Tool

CIS Benchmark Compliant

Multiple Output Formats

Rollback Procedures

Quick Generation

Select Hardening Options