Wednesday, February 12, 2025
Homecloud Computing
cloud Computing

Perform Kubernetes CIS Benchmark Using Custom Org Policies

Thota nithya
By Thota nithya
0
52
Kubernetes CIS Benchmark
Perform Kubernetes CIS Benchmark Using Custom Org Policies

Kubernetes CIS Benchmark

Implementing the CIS standard for GKE through the use of unique Org Policies. The requirement to create and preserve a reliable, robust Kubernetes security posture is growing along with the use of container workloads. There may be serious repercussions for an organization’s risk posture if this is not done. According to the 2024 State of Kubernetes Security Report, container and Kubernetes security issues cost over 50% of organisations money or customers.

You may accomplish ubiquitous security throughout your cloud infrastructure with the aid of organisation policies. To ensure that you have set up appropriate safeguards for Google Kubernetes Engine (GKE) standard and autopilot in your infrastructure, you may utilise custom Organisation Policies to proactively enforce several of the Kubernetes CIS Benchmark.

A bespoke Organisation Policy library that can apply restrictions to GKE and other Google Cloud services like Dataproc, Cloud Storage, Network, Firewall, Cloud Run, Cloud Build, Identity and Access Management, and Compute Engine has made it simpler to install these preventative measures.

Custom Organisation Policies can be used to ensure adherence to the Kubernetes CIS Benchmark, which is crucial for GKE security.

What is CIS Benchmark for GKE?

A thorough collection of security best practices and recommendations, the Kubernetes CIS Benchmark is intended to improve the security posture of GKE clusters. It offers a set of suggestions for evaluating and reducing possible risks in areas including network security, IAM, and authentication and authorisation.

Two important activities that may be aided by using the Kubernetes CIS Benchmark are lowering the danger of cyberattacks and guaranteeing adherence to industry standards. Cluster and Nodepool resources are supported by Custom Organisation Policy, and many CIS suggestions for GKE may be implemented.

Achieving compliance with custom organization policies

You may apply your own granular security and compliance rules with the aid of Custom Organisation Policies. They enable you to limit particular settings and behaviours inside your cloud environment by defining policies and restrictions using Common Expression Language (CEL).

It is possible to guarantee that both new and existing GKE clusters follow security guidelines by implementing customised Organisation Policies. These guidelines may be incorporated with any provisioning tool and serve as preventative measures at the Google Cloud level. By doing this, security enforcement may become more automatic and consistent.

Additionally, Custom Organisation Policies facilitate safe rollout capabilities like simulation and dry run, which let organisations test and make sure policy changes don’t interfere with operations before implementing them in a real-world setting.

You may use custom Organisation Policies to implement some of the most important recommendations Kubernetes CIS Benchmark, such as:

  • Ensuring that provisioning is limited to private clusters with private endpoints and nodes.
  • Secure Boot is activated on the nodes.
  • Nodes are running container-optimized operating systems.

The following are some illustrations of how to use unique Organisation Policies for GKE:

Enforcing private cluster use

name: organizations/<ORG_ID>/customConstraints/custom.gkeRequirePrivateNodes
resource_types:
- container.googleapis.com/Cluster
condition: resource.privateClusterConfig.enablePrivateNodes == false
action_type: DENY
method_types:
- CREATE
- UPDATE
display_name: Require GKE private nodes
description: Enforce that GKE clusters are created as private clusters with private nodes

Ensuring nodes are configured to use Container-Optimized OS

name: organizations/<ORG_ID>/customConstraints/custom.gkeRequireCOSImage
resource_types:
- container.googleapis.com/NodePool
condition: resource.config.imageType != "COS_CONTAINERD"
action_type: DENY
method_types:
- CREATE
- UPDATE
display_name: Require Container-Optimized OS on node pools
description: Enforce the nodes pool are using Container-Optimized OS for running containers

Organisations may integrate security at the foundational layer of their infrastructure with the aid of Custom Organisation Policies. By preventing vulnerabilities and misconfigurations far sooner, this proactive strategy lowers security risks and remedial expenses.

Simplify onboarding with custom organization policy library

Google Cloud have created a library of policies that are available on the Google Cloud Professional Services GitHub public repository to make the process of implementing bespoke Organisation Policies easier. About 80 ready-to-use rules that convert security and compliance suggestions into workable controls for a Google Cloud environment are currently available in the library.

With over 30 controls currently in place, the library incorporates suggestions from the Kubernetes CIS Benchmark mentioned above. With the help of this library, businesses may use bespoke Organisation Policies to swiftly and effectively implement security best practices. The following are some of this library’s main attributes and advantages:

  • The library offers a place to start when looking for ideas and can facilitate the addition of rules that adhere to security and compliance requirements. Policies can be further tailored to your particular need.
  • By integrating these policies with your provisioning tools, you can automate the application of security best practices. Terraform and gcloud integration through the use of Cloud Foundation Fabric modules.
  • In light of the new services that will be compatible with specific organisation policies, the library will keep expanding to incorporate new policies and improvements. More than 30 Google Cloud services are already supported.

How to get started

Custom organisation policies make it easier than ever to create a strong security posture and address possible risks. Any organisation may start implementing compliance and security controls for GKE Standard and GKE Autopilot, as well as many other services, with the help of the custom Organisation Policy library that is available on GitHub.

Google Cloud recommend that you investigate the GitHub policy library repository and utilise the capabilities of customised Organisation Policies to implement security measures inside your company.

Previous article
Use Vectara’s New HHEM Model To Identify LLM Hallucinations
Next article
Google Cloud Deploy Features For Safer Auto-Deployments
Thota nithya
Thota nithya
Thota Nithya has been writing Cloud Computing articles for govindhtech from APR 2023. She was a science graduate. She was an enthusiast of cloud computing.
RELATED ARTICLES

Recent Posts

Load more

Popular Post

Load more

About Us

Govindhtech is the most popular location for people interested in technology of all experience levels. We are experts in covering a wide variety of issues, such as recent developments in cloud computing, news on artificial intelligence, computer processors, computer graphics cards, solid-state drives, random access memory, and monitors news.


Sitemap

About Us

Contact Us

Disclaimer

Privacy Policy

POPULAR CATEGORY

Contact us: agarapuramesh@govindhtech.com

©Govindhtech, All Rights Reserved

Govindhtech.com Would you like to receive notifications on latest updates? No Yes