gcloud-gke 漏洞列表

Ensure that the Auto-Repair feature is enabled for all your GKE cluster nodes to help maintain node health. Google Kubernetes Engine (GKE) triggers a repair action if a node reports consecutive unhealthy status reports for a given time threshold, such as when a node broadcasts a "NotReady" status, fails to broadcast any status, or runs out of disk space.

Ensure that the Auto-Upgrade feature is enabled for all the nodes running within your Google Kubernetes Engine (GKE) clusters. This feature helps you keep your cluster nodes up to date with the latest supported version of Kubernetes, automatically applying security fixes and new functionalities.

Ensure that your Google Kubernetes Engine (GKE) cluster nodes use the Container-Optimized OS (cos_containerd), a managed, optimized, and hardened base OS provided by GKE to limit the host's attack surface. cos_containerd's layered architecture enables advanced GKE features like gVisor and Image Streaming, and offers improved resource efficiency and security.

Ensure that cost allocation is enabled for your Google Kubernetes Engine (GKE) clusters to gain detailed insights into resource usage. This feature allows you to break down resource consumption by Kubernetes namespaces and labels, making it easier to associate costs with specific entities and access detailed cost reports through billing data exported to BigQuery.

Ensure that intranode visibility is enabled for your Google Kubernetes Engine (GKE) clusters. This allows you to monitor and troubleshoot network traffic between pods running on the same node, enhancing both visibility and security. When enabled, packets exchanged between Pods are always processed by the VPC network.

Ensure that Cloud Monitoring is enabled for your Google Kubernetes Engine (GKE) clusters to collect metrics emitted by your Kubernetes applications and the GKE infrastructure. Cloud Monitoring helps track cluster health, application reliability, and performance metrics.

Ensure that your Google Kubernetes Engine (GKE) clusters are configured to use private endpoints only for control plane access, effectively disabling external access to the Kubernetes API. This requires configuring the GKE cluster with private nodes, a private master IP range, and IP aliasing.

Ensure that your Google Kubernetes Engine (GKE) clusters are configured to use GKE Sandbox with gVisor to provide an additional layer of security isolation for containers. GKE Sandbox uses gVisor, a container runtime sandbox, to help isolate containers and protect the underlying host kernel.

Ensure that encryption of Kubernetes secrets with Customer-Managed Keys (CMKs) is enabled for your Google Kubernetes Engine (GKE) clusters. Application-layer secrets encryption protects your Kubernetes secrets in etcd with an encryption key managed using the Cloud KMS service, providing an additional layer of security for sensitive data.

Ensure that Security Posture dashboard is enabled for your Google Kubernetes Engine (GKE) clusters. This feature integrates with other cloud services such as Cloud Logging, Policy Controller, and Binary Authorization to provide visibility into vulnerabilities, misconfigurations, and compliance risks, helping to enhance cluster security and maintain regulatory compliance.

Ensure that your Google Kubernetes Engine (GKE) clusters are configured to use Shielded GKE Nodes to protect against rootkits and bootkits. Shielded GKE Nodes provide verifiable node identity and integrity through the use of Secure Boot, virtual trusted platform module (vTPM)-enabled measured boot, and integrity monitoring.

Ensure that encryption of in-transit data for Pod communications across Google Kubernetes Engine (GKE) cluster nodes is enabled with Customer-Managed Encryption Keys (CMEKs). This feature, which requires GKE Dataplane V2, provides additional encryption on top of the default VM NIC-level encryption using WireGuard.