gcloud gke 漏洞列表

Ensure that Binary Authorization is enabled for your Google Kubernetes Engine (GKE) clusters to enforce container image security policies. Binary Authorization enhances security by ensuring only trusted container images can be deployed, reducing the risk of deploying vulnerable or unauthorized software.

Ensure that your Google Kubernetes Engine (GKE) cluster node pools use confidential GKE nodes to encrypt all running workloads. Confidential GKE nodes employ hardware-based memory encryption to safeguard your data and applications from unauthorized access or modification while in use.

Ensure that your Google Kubernetes Engine (GKE) clusters are configured to use user-managed service accounts instead of the default service account managed by Google Cloud. The default service account has broad permissions across your GCP project, which violates the Principle of Least Privilege (POLP).

Ensure that Integrity Monitoring is enabled for your Google Kubernetes Engine (GKE) cluster nodes to monitor and automatically check the runtime boot integrity using Google Cloud Monitoring service. This feature helps verify that the boot loader and other measured components remain untampered.

Ensure that user-defined labels are being used to tag, collect, and organize GKE clusters within your Google Cloud Platform (GCP) projects. User-defined labels are a lightweight and efficient way to group together related or associated cloud resources. These are unrelated to Kubernetes labels.

Ensure that GKE Metadata Server is enabled for your Google Kubernetes Engine (GKE) cluster nodes to enhance security by restricting workload access to sensitive instance information. The GKE Metadata Server feature requires Workload Identity for improved authentication and authorization.

Ensure that critical alert notifications are enabled for your Google Kubernetes Engine (GKE) clusters to receive important Pub/Sub messages about upgrades, security bulletins, and other relevant information. This helps you stay informed about potential risks and opportunities for optimization.

Ensure that your Google Kubernetes Engine (GKE) clusters are configured to provision all nodes with only internal IP addresses (private nodes). This prevents external clients from accessing the nodes and prevents the nodes from having direct access to the Internet, reducing the attack surface.

Ensure that your Google Kubernetes Engine (GKE) clusters are subscribed to either Regular or Stable release channels to automate version management and upgrades. Release channels automatically select cluster versions to provide a balance between new features and stability, while ensuring critical security patches are delivered.

Ensure that the Secure Boot security feature is enabled for your GKE cluster nodes to protect them against malware and rootkits. Secure Boot helps ensure that the system runs only authentic software by verifying the digital signature of all boot components, and halts the boot process if signature verification fails.

Ensure that VPC-native traffic routing is enabled for your Google Kubernetes Engine (GKE) clusters. This feature enhances integration with Google Cloud's VPC, improving network performance, scalability, and security through the use of alias IP address ranges.

Ensure that workload vulnerability scanning is enabled for your Google Kubernetes Engine (GKE) clusters to help detect vulnerabilities in container images, ensure compliance with security standards, and protect your clusters from potential threats. When enabled, a vulnerability scanning pod is deployed to each node within your GKE cluster to conduct the scan.

Ensure that Workload Identity Federation is enabled for your Google Kubernetes Engine (GKE) clusters to securely connect to Google Cloud APIs from Kubernetes workloads. Workload Identity Federation enhances security, simplifies access management, and eliminates the need for less secure methods like service account keys.