Level up your Kubernetes security with the CIS GKE Benchmarks

Compliance efforts can feel like a challenging endeavor in most organizations. Engineering teams routinely don’t understand how often-confusing requirements will actually make the organization more secure. Sometimes, even the words that define compliance requirements can be hard to comprehend. The entire exercise can feel overwhelming, like being on an endless security treadmill. 

At Google Cloud, we believe that compliance efforts, essential to securely managing technology, can be easier to manage when paired with a powerful platform such as Kubernetes. From your first experience with Google Kubernetes Engine (GKE), you will find guidance on how to best implement GKE securely and in compliance with common frameworks — including those from the Center for Internet Security (CIS). 

The CIS is an independent, nonprofit organization with a mission to create confidence in the connected world. It’s responsible for the CIS Controls and CIS Benchmarks, globally-recognized best practices for securing IT systems and data. These prescriptive configuration recommendations are industry-standard guidelines that can help you identify how to harden different technologies to help minimize your organizational risk.

The CIS also offers recommendations to address provider-specific implementations, such as GKE. Google Cloud’s GKE provides a best-in-class, secure-by-default configuration, which can be further heightened through Autopilot, a hands-off operations mode that follows best practices and recommendations for cluster and workload setup, scalability, and security. Google Cloud also provides the information needed to verify GKE’s security posture for assessment and audit activities. 

With this goal in mind, we’ve partnered with the CIS to release updated CIS Benchmarks for GKE and GKE Autopilot. These tailored guidelines were developed in collaboration with the community to clarify which recommendations are relevant for GKE users. The latest updates feature more than 80 recommended controls which can help enhance your organization’s GKE security posture.

These benchmarks now fully support GKE versions 1.29, 1.30, and 1.31, ensuring your security posture stays in sync with the latest advancements in Google’s Kubernetes platform. Some of the changes we’ve made include:

• Updated controls to ensure they address the latest security challenges and best practices in GKE. 

• Removed controls that are no longer relevant to GKE, streamlining the focus on essential safeguards. 

• Introduced new controls that address threats using the latest GKE security features. 

• Reviewed and categorized all controls as L1 (essential) or L2 (advanced), and streamlined guidance on how to prioritize security efforts based on your organization’s risk posture. 

• Aligned the benchmark and its recommendations with the latest CIS Kubernetes Benchmark version. 

You can view the updated CIS GKE and Autopilot Benchmarks here. Additionally, GKE Enterprise comes with Compliance and Policy Controller for enforcing security controls across your GKE clusters. 

This benchmark refresh represents Google Cloud’s ongoing commitment to a shared fate relationship with our customers and our secure by default pledge to the Cybersecurity and  Infrastructure Security Agency (CISA).  We've gathered the best Kubernetes security experts from Google to craft benchmarks that are accurate and can be practically applied.

You can review your compliance with CIS GKE Benchmark items using Security Health Analytics, a capability built into Security Command Center (SCC). You’ll be able to identify, review, and remediate any cluster configurations which don’t comply with recommendations displayed in the SCC dashboard. 

Using the CIS Benchmarks represents an important step in safeguarding your Google Cloud infrastructure and improving your organization’s risk posture. If you’re new to GKE Enterprise, learn more about how to start a free trial.