cluster-1
Overview
Critical
0High
7Medium
11Low
4Informational
0Security issues (22)
Severity | Non-Compliance | Issue | Remediation | Read more | Action |
---|---|---|---|---|---|
Low | — | Kubernetes cluster has an alias for IP ranges disabled. | To assign ranges of internal IP addresses as alias to a network interface, make sure your Kubernetes clusters have an alias for IP ranges enabled. | More info | |
Medium | — | Kubernetes cluster has auto-repair disabled for the node pools: node-pool4, node-pool3. | To enable auto-repair for the nodes that fail health checks, ensure auto-repair is enabled for all node pools in your Kubernetes Engine clusters. | More info | |
Medium | — | Kubernetes cluster has auto-upgrade disabled for the node pool: default-pool. | To ensure the latest security patches are installed and each node stays current with the latest version of the master branch, enable auto-upgrade for all node pools in your Kubernetes Engine clusters. | More info | |
High | — | Kubernetes cluster has Container-Optimized OS disabled for node pool: node-pool2. | To bring up your Docker containers on Google Cloud Platform quickly, efficiently, and securely, use Container-Optimized OS for all Kubernetes cluster nodes. | More info | |
Low | — | Kubernetes cluster with default service account used for node pools: node-pool3, node-pool2, default-pool... | To reduce the attack surface in case of a malicious attack against the cluster, ensure that no Kubernetes cluster nodes are using the default service account. | More info | |
Medium | — | Kubernetes cluster has integrity monitoring disabled for node pools: node-pool4, node-pool3. | To automatically monitor the integrity of your cluster nodes, ensure that integrity monitoring is enabled for your Kubernetes cluster nodes. | More info | |
High | PCI DSS 3.5 HIPAA (Encryption) | No Customer-Managed Keys (CMK) encryption found for Kubernetes cluster node pools: node-pool4, node-pool3, default-pool. | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, make sure your Kubernetes cluster node pools are encrypted using CMK. | More info | |
Medium | — | Kubernetes cluster has Secure Boot security feature disabled for the node pools: node-pool2, default-pool. | To protect your cluster nodes against malware and rootkits, ensure that Secure Boot security feature is enabled for all your Kubernetes cluster nodes. | More info | |
High | — | Kubernetes cluster has basic authentication enabled. | To make sure no static passwords are used to authenticate, disable basic authentication on all clusters. | More info | |
Low | — | Kubernetes cluster has alpha feature enabled. | As alpha clusters expire after thirty days and do not receive security updates, create a new cluster with the alpha feature disabled, migrate all data from the old cluster with the alpha feature, and then delete the old cluster. | More info | |
Medium | — | Kubernetes cluster has legacy authorization enabled. | As legacy authorizer grants broad, statically defined permissions, ensure legacy authorization is disabled on all Kubernetes clusters. | More info | |
Medium | PCI DSS 10.2 HIPAA (Audit) | Kubernetes cluster has logging disabled. | To fulfill HIPAA compliance requirements for logging of all activity, ensure all Kubernetes clusters have logging enabled. | More info | |
Medium | — | Kubernetes cluster has master authorized networks disabled. | To allow IP addresses in the specified CIDR ranges to access your cluster control plane endpoint using HTTPS, enable master authorized networks on all Kubernetes clusters. | More info | |
High | — | Kubernetes cluster has network policy disabled. | For a more secure environment with only specified connections allowed between cluster pods, ensure all Kubernetes clusters have network policy enabled. | More info | |
High | PCI DSS 3.5 HIPAA (Encryption) | Kubernetes cluster nodes are not encrypted using Customer-Managed Keys (CMK). | To fulfill HIPAA and PCI DSS compliance requirements for encryption of data at rest, make sure your Kubernetes cluster nodes are encrypted using CMK. | More info | |
Low | — | Kubernetes cluster does not have any labels. | To be better organize your Kubernetes clusters, it is recommended to add labels to Kubernetes clusters. | More info | |
High | — | Kubernetes cluster with default service account does not use minimal access scope. | Ensure that all Kubernetes clusters created with default service account are created with minimal access scopes. | More info | |
High | — | Kubernetes cluster has pod security policy config disabled. | To enable control of the security sensitive aspects of the pod configuration, ensure all Kubernetes clusters have pod security policy config enabled. | More info | |
Medium | — | Kubernetes cluster has private cluster disabled. | To isolate workloads from the public Internet, ensure all Kubernetes clusters have private cluster enabled. | More info | |
Medium | — | Kubernetes cluster does not have private endpoint enabled. | To route all traffic between the Kubernetes worker and control plane nodes over a private VPC endpoint rather than across the public internet, ensure all Kubernetes clusters have private endpoint enabled. | More info | |
Medium | — | Kubernetes cluster does not have Shielded Nodes feature enabled. | To limit the ability of an attacker to impersonate a node in your cluster even if the attacker is able to extract the node credentials, ensure all Kubernetes clusters have Shielded Nodes feature enabled. | More info | |
Medium | — | Kubernetes cluster has web dashboard enabled. | As web dashboard is backed by a highly privileged service account, ensure web dashboard is disabled on all Kubernetes clusters. | More info |