Collaboration and productivity tools for enterprises. able to be applied in concert with other recommendations. This often results Sensitive data inspection, classification, and redaction platform. the relevant CIS Benchmark. Server and virtual machine migration to Compute Engine. Some GKE monitoring components use the kubelet Organizations can use the CIS Benchmark for Kubernetes to harden their Kubernetes environments. This draws from the Compute instances for batch jobs and fault-tolerant workloads. Streaming analytics for stream and batch processing. Make sure to specify the appropriate version, for example: Security Health Analytics process for certificate rotation. Object storage for storing and serving user-generated content. authentication to obtain metrics. environment, such as open firewalls or public buckets. File storage that is highly scalable and secure. You are still responsible for upgrading the nodes that run your workloads, and CIS MIT Kerberos 1.10 Benchmark v1.0.0. Example of one test from the CIS Kubernetes Benchmark. VPC flow logs for network monitoring, forensics, and security. Explore SMB solutions for web hosting, app development, AI, analytics, and more. The Center for Internet Security provides a number of guidelines and benchmark tests for best practices in securing your code. Announcing the Center for Internet Security (CIS) Oracle Cloud Infrastructure (OCI) Container Engine for Kubernetes (OKE) Benchmark Workflow orchestration for serverless products and API services. These may have performance impact, or may not be GKE does not Platform for creating functions that respond to cloud events. Organizations can use the CIS Benchmark for Docker to validate that their Docker containers and the Docker runtime are configured as securely as possible. Sentiment analysis and classification of unstructured text. GKE captures audit logs, but does not use these flags ASIC designed to run ML inference and AI at the edge. Streaming analytics for stream and batch processing. Rehost, replatform, rewrite your Oracle workloads. Azure Kubernetes Service (AKS) is a secure service compliant with SOC, ISO, PCI DSS, and HIPAA standards. The tools listed below can help with this. are running on GKE, not to GKE system recommendation to use admission EventRateLimits. Hybrid and Multi-cloud Application Platform. Description In today’s regulatory environment, organizations must stay on top of compliance requirements while modernizing to cloud-native Kubernetes, mitigates against security breaches through continuous automation. Supported CIS Kubernetes versions Data storage, AI, and analytics solutions for government agencies. Note that this does not allow you to audit recommendations from the Kubernetes automatically audited are marked as Scored in the CIS GKE IoT device management, integration, and connection service. Tools for monitoring, controlling, and optimizing your costs. workload. Oracle MySQL Database Server. In GKE, under the Shared responsibility model, Google Network monitoring, verification, and optimization platform. The AlwaysPullImages admission controller provides some protection for CIS-CAT Lite is the free assessment tool developed by the CIS (Center for Internet Security, Inc.). Command line tools and libraries for Google Cloud. value that can be definitively evaluated. Also, to generate a cluster-wide report, the application utilizes Sonobuoy for report aggregation. for recommendations in sections 1-5 are different in the CIS Revenue stream and business model creation from APIs. GKE security recommendations. GKE doesn't protect kernel defaults from Kubernetes, all configurable such that they can be configured to Pass in your environment, The CIS Kubernetes community has been busy working on refreshing the benchmark to align with the new released features and narrow the gap between the announcement of the GA version of the product and the benchmark … Security Health Analytics. Proactively plan and prioritize workloads. Automate repeatable tasks for one machine or millions. then used to authenticate to the API server. The control plane (master), including the control plane VMs, API server, other Download PDF. You can use an open-source tool kube-bench To switch between the … between the API server to etcd. For example, Pod Security Policy Detect, investigate, and respond to online threats to help protect your business. Managed environment for running containerized apps. AI with job search and talent acquisition capabilities. Custom and pre-trained models to detect emotion, text, more. You can generally audit and remediate any Guides and tools to simplify your database migration life cycle. set. IDE support to write, run, and debug Kubernetes applications. as possible. In collaboration with CIS, IBM has already been awarded CIS Security Software Certification Benchmarks on a variety of IBM products. GKE uses TLS for API server to kubelet traffic, which also does not have a CIS Benchmark. recommendations to these components. Continuous integration and continuous delivery platform. Cloud network options based on performance, availability, and cost. node directly; and will only be able to run the kube-bench node tests. Managed Service for Microsoft Active Directory. Security policies and defense against web and DDoS attacks. No-code development platform to build and extend applications. manages the following Kubernetes components: Configurations related to these Google Cloud audit, platform, and application logs management. Messaging service for event ingestion and delivery. This document explains what the CIS Kubernetes and Google Kubernetes Engine (GKE) as customer workloads may want to modify these. Platform for BI, data applications, and embedded analytics. for auditing. Some control plane components are bootstrapped using static tokens, which are Our customer-friendly pricing means more overall value to your business. The CIS Benchmarks are among its most popular tools. Ensure Image Vulnerability Scanning using GCR Container Analysis or a third party provider, Minimize cluster access to read-only for GCR, Minimize Container Registries to only those approved, Prefer not running GKE clusters using the Compute Engine default service account, Prefer using dedicated GCP Service Accounts and Workload Identity, Consider encrypting Kubernetes Secrets using keys managed in Cloud KMS, Ensure legacy Compute Engine instance metadata APIs are Disabled, Ensure the GKE Metadata Server is Enabled, Ensure Container-Optimized OS (COS) is used for GKE node images, Ensure Node Auto-Repair is enabled for GKE nodes, Ensure Node Auto-Upgrade is enabled for GKE nodes, Consider automating GKE version management using Release Channels, Ensure Integrity Monitoring for Shielded GKE Nodes is Enabled, Ensure Secure Boot for Shielded GKE Nodes is Enabled, Consider enabling VPC Flow Logs and Intranode Visibility, Ensure Master Authorized Networks is Enabled, Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled, Ensure clusters are created with Private Nodes, Ensure Network Policy is Enabled and set as appropriate, Consider using Google-managed SSL Certificates, Ensure Stackdriver Kubernetes Logging and Monitoring is Enabled, Ensure Basic Authentication using static passwords is Disabled, Ensure authentication using Client Certificates is Disabled, Consider managing Kubernetes RBAC users with Google Groups for GKE, Ensure Legacy Authorization (ABAC) is Disabled, Consider enabling Customer-Managed Encryption Keys (CMEK) for GKE persistent disks (PDs), Ensure that Alpha clusters are not used for production workloads, Ensure Pod Security Policy is Enabled and set as appropriate, Consider GKE Sandbox for running untrusted workloads, Prefer enabling Binary Authorization and configuring policy as appropriate, Prefer enabling Cloud Security Command Center (Cloud SCC). 1.4.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Scored).....146 1.4.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) items are generally not available for you to audit or modify in Content delivery network for serving web and video content. not inhibit the utility of the technology beyond acceptable means. checks to simplify the verification of these controls in your environment. CIS Benchmarks are developed by an open community of security practitioners and licensed under a Creative Commons … Threat and fraud protection for your web applications and APIs. Solution for bridging existing care systems and apps on Google Cloud. Monitoring, logging, and application performance suite. Where the default for a new GKE cluster does not pass a Platform for modernizing legacy apps and building new apps. While it may be simple to evaluate a single master/worker cluster or a test Kubernetes implementation, it can be much more difficult to ensure continuous security compliance for a complex, dynamic Kubernetes deployment. Upgrades to modernize your operational database infrastructure. Game server management service running on Google Kubernetes Engine. Enterprise search for employees to quickly find company information. we use the following values to specify the default values: Specific instructions for auditing each recommendation is available as part of Options for every business to train deep learning and machine learning models cost-effectively. Attract and empower an ecosystem of developers and partners. In some cases, for example multi-tenant workloads, these CPU and heap profiler for analyzing application performance. Serverless, minimal downtime migrations to Cloud SQL. GKE workloads, since you do not have access to the control plane Workflow orchestration service built on Apache Airflow. Charmed Kubernetes includes support for the kube-bench utility, which reports how well a cluster complies with this benchmark. The Kubernetes benchmark includes over 200 pages of recommended tests, so it’s impractical to run them by hand even just once – and the reality is that you should be running tests on every node in your cluster. The hardening guide provides prescriptive guidance for hardening a production installation of Rancher, and this benchmark For details, see the Google Developers Site Policies. Resources and solutions for cloud-native organizations. When is authenticated for GKE v1.12+ clusters. evaluated for your environment before being applied. Simplify and accelerate secure delivery of open banking compliant APIs. CIS Benchmark that are not auditable on GKE. The Kubernetes CIS Benchmark tests have been implemented in NeuVector to simplify auditing and compliance testing of Kubernetes clusters. Discovery and analysis tools for moving to the cloud. App to manage Google Cloud services from your mobile device. Data transfers from online and on-premises sources to Cloud Storage. With GKE, you can use CIS Benchmarks for: The CIS Kubernetes Benchmark is available on the CIS website. The user's configuration determines whether their Reference templates for Deployment Manager and Terraform. See. cluster created in GKE performs against the CIS Kubernetes Shielded GKE Nodes are enabled. By enabling Security Health Containerized apps with prebuilt deployment and unified billing. Recommendations are easily tested using an automated method, and has a Two-factor authentication device for user account protection. Whether your business is early in its journey or well on its way to digital transformation, Google Cloud's solutions and technologies help solve your toughest challenges. Services and infrastructure for building web apps and websites. GKE, use the CIS GKE Benchmark, Service for distributing traffic across applications and regions. Health-specific solutions to enhance the patient experience. Self-service and custom developer portal creation. Java is a registered trademark of Oracle and/or its affiliates. Platform for modernizing existing apps and building new ones. Solution for analyzing petabytes of security telemetry. posture. GPUs for ML, scientific computing, and 3D visualization. FHIR API-based digital service formation. Data analytics tools for collecting, analyzing, and activating BI. Connectivity options for VPN, peering, and enterprise needs. Intelligent behavior detection to protect APIs. FHIR API-based digital service production. see the section on Default values to understand how a default Benchmark from the CIS Kubernetes Benchmark. These flags are used for regional clusters but not zonal clusters, controller by default, as this requires a policy to be set. Pay only for what you use with no lock-in, Pricing details on each Google Cloud product, View short tutorials to help you get started, Deploy ready-to-go solutions in a few clicks, Enroll in on-demand or classroom training, Jump-start your project with help from Google, Work with a Partner in our global network, Creating a cluster using Windows node pools, Manually upgrading a cluster or node pool, Using Compute Engine sole-tenant nodes in GKE, Configuring maintenance windows and exclusions, Reducing add-on resource usage in smaller clusters, Deploying an application from GCP Marketplace, Configuring multidimensional Pod autoscaling, Managing applications with Application Delivery, Using the Compute Engine persistent disk CSI Driver, Using persistent disks with multiple readers, Using preexisting persistent disks as PersistentVolumes, Configuring Ingress for external load balancing, Configuring Ingress for internal load balancing, Container-native load balancing through Ingress, Container-native load balancing through standalone NEGs, Authenticating to the Kubernetes API server, Encrypting secrets at the application layer, Harden workload isolation with GKE Sandbox, Custom and external metrics for autoscaling workloads, Ingress for External HTTP(S) Load Balancing, Ingress for Internal HTTP(S) Load Balancing, Persistent volumes and dynamic provisioning, Overview of Google Cloud's operations suite for GKE, Deploying a containerized web application, Deploying WordPress on GKE with persistent disks and Cloud SQL, Authenticating to Google Cloud Platform with service accounts, Upgrading a GKE cluster running a stateful workload, Setting up HTTP load balancing with Ingress, Configuring domain names with static IP addresses, Configuring network policies for applications, Creating private clusters with network proxies for controller access, GitOps-style continuous delivery with Cloud Build, Continuous delivery pipelines with Spinnaker, Automating canary analysis with Spinnaker, Customizing Cloud Logging logs with Fluentd, Processing logs at scale using Cloud Dataflow, Migrating workloads to different machine types, Autoscaling deployments with Cloud Monitoring metrics, Building Windows Server multi-arch images, Optimizing resource usage with node auto-provisioning, Configuring cluster upgrade notifications for third-party services, Transform your business with innovative solutions. components on the VMs, and etcd. understand how your Many Level 1 Scored recommendations are covered by corresponding findings in These recommendations only include Generally Available Prescriptive guidance for establishing a secure configuration posture for Cisco devices running Cisco NX-OS. Benchmark to perform an audit. Infrastructure and application health with rich metrics. Dashboards, custom reports, and metrics for API performance. GKE v1.12+ clusters. GKE Benchmark are different, as some controls cannot be These should be A new cluster does not comply with a Benchmark recommendation by default. Checksum. Testing configurations with kube-bench. Linux, Docker, and Kubernetes) and combine the results. The CIS Kubernetes Benchmark is written for the open source Kubernetes distribution and intended to be as universally applicable across distributions as possible. of recommendations for configuring Kubernetes to support a strong security removes items that are not configurable or managed by the user and adds Platform for training, hosting, and managing ML models. in Cloud Security Command Center. GKE additional controls that are Google Cloud-specific. GKE. Kube Bench is an open-source Go application that runs the CIS Kubernetes Benchmark tests on your cluster to ensure that it meets the CIS guidelines for security. new Pods across the entire cluster. Real-time application state inspection and in-production debugging. CIS Kubernetes Benchmark v1.2.0. that you cannot directly audit, see Default values to Some tools attempt to analyze Kubernetes nodes against multiple CIS Benchmarks the workloads themselves. Analytics, you'll be notified of cluster misconfigurations you may have Service to prepare data for analysis and machine learning. laid out in the CIS GKE Benchmark. Hardened service running Microsoft® Active Directory (AD). Secure video meetings and modern collaboration for teams. they are only kept for one hour, and are not an appropriate security Special thanks to Rob Vandenbrink for his contribution to this initial release. Solutions for collecting, analyzing, and activating customer data. The CIS Benchmarks are distributed free of charge in PDF format to propagate their worldwide use and adoption as user-originated, de facto standards. Speech synthesis in 220+ voices and 40+ languages. Accelerate business recovery and ensure a better future with solutions that enable hybrid and multi-cloud, generate intelligent insights, and keep your workers connected. A new cluster complies with a Benchmark recommendation by default. a new GKE cluster against the CIS Kubernetes Benchmark, Allowing unlimited events as suggested in this control evaluating your own environment, you should use the CIS GKE requires the use of a policy specific to your workload, and is a recommendation from the CIS Kubernetes Benchmark, here are the However, you may wish to automate some of these In this case, Fully managed database for MySQL, PostgreSQL, and SQL Server. Recommendations exhibit one or more of the following characteristics: We use the following values to specify the status of Kubernetes recommendations End-to-end migration program to simplify your path to the cloud. Automate CIS Benchmark Assessment using DevSecOps pipelines. that you will be unable to run the kube-bench master tests against your COVID-19 Solutions for the Healthcare Industry. MIT Kerberos Authentication Server. The CIS GKE Benchmark is listed for download. Default values for recommendations which Fail or Depends on Environment in a admission controller by default. controller by default. distribution and intended to be as universally applicable across distributions are not necessarily Open source render manager for visual effects and animation. Security relevant events are intended for environments or use cases where security is paramount; may negatively inhibit the utility or performance of the technology. auditing mechanism. default GKE cluster: The CIS GKE Benchmark is available on the CIS website: Recommendations are meant to be widely applicable. containers. Recommendation. Products to build and use artificial intelligence. NoSQL database for storing and syncing data in real time. use these flags but rather this is specified in the kubelet config file. Rapid Assessment & Migration Program (RAMP). Kubernetes-native resources for declaring CI/CD pipelines. to test your cluster configuration against the CIS Kubernetes Benchmark. Reduce cost, increase operational agility, and capture new market opportunities. Cloud-native relational database with unlimited scale and 99.999% availability. Service for training ML models with structured data. Cron job scheduler for task automation and management. Run on the cleanest cloud in the industry. NAT service for giving private instances internet access. Recommendations cannot be easily assessed using automation or requires This article covers the security hardening applied to AKS virtual machine hosts. CIS Kubernetes Benchmark v1.5 - Rancher v2.4 with Kubernetes v1.15 Click here to download a PDF version of this document Overview This document is a companion to the Rancher v2.4 security hardening guide. Private Docker storage for container images on Google Cloud. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. See. Real-time insights from unstructured medical text. Develop and run applications anywhere, using cloud-native technologies like containers, serverless, and service mesh. Note that the version numbers for different Benchmarks may not be the same. but other mechanisms in GKE exist to provide equivalent Dedicated hardware for compliance, licensing, and management. Certifications for running SAP applications and SAP HANA. Processes and resources for implementing DevOps in your org. GKE Benchmark. a recommendation yourself. Custom machine learning model training and development. in GKE: When creating a new GKE cluster with the specified version, Home • Resources • Platforms • Kubernetes. Beta The Benchmark is tied to a specific Kubernetes release. recommendation. AI model for speaking with customers and assisting human agents. Tracing system collecting latency data from applications. Does not comply with the exact terms in the Benchmark recommendation, Tools and services for transferring your data to Google Cloud. Solution for running build steps in a Docker container. Platform for defending against threats to your Google Cloud assets. Database services to migrate, manage, and modernize data. Items that can be Tools for managing, processing, and transforming biomedical data. Benchmark are in section 6, some of the audit and remediation procedures use these flags but rather this is specified in the kubelet config file. Encrypt, store, manage, and audit infrastructure and application-level secrets. Web-based interface for managing and monitoring cloud apps. this flag. Complies with a Benchmark recommendation. CIS Kubernetes Benchmark. Cloud provider visibility through near real-time logs. Fully managed open source databases with enterprise-grade support. App migration to the cloud for low-cost refresh cycles. An objective, consensus-driven security guideline for the Kubernetes Server Software. Change the way teams work with solutions designed for humans and built for impact. Integration that provides a serverless development platform on GKE. CIS Kubernetes 1.8 Security Benchmark Released The CIS Benchmark for Kubernetes 1.8 release continues to bring security enhancements to the core orchestration platform. Machine learning and AI to unlock insights from your documents. GKE customers can enable PodSecurityPolicy. A step-by-step checklist to secure Kubernetes: For Kubernetes 1.6.0 (CIS Kubernetes Benchmark version 1.6.0), CIS has worked with the community since 2017 to publish a benchmark for Kubernetes, For Kubernetes The user's configuration determines whether their The following table evaluates recommendations may be more relevant. The CIS Kubernetes Benchmark is scoped for implementations managing both the control plane, which includes etcd, API server, controller and scheduler, and the data plane, which is made up of one or more nodes. default values used in GKE, with an explanation. How Google is helping healthcare meet extraordinary challenges. The Benchmark is tied to a specific Kubernetes release. Events are Kubernetes objects stored in etcd. You can download the benchmark after logging in to CISecurity.org . Task management service for asynchronous task execution. Reimagine your operations and unlock new opportunities. Unified platform for IT admins to manage user devices and apps. Some of Tools for automating and maintaining system configurations. Image Provenance using Binary GKE does not configure items related to this products or features. Data integration for building and managing data pipelines. Although GKE Relational database services for MySQL, PostgreSQL, and SQL server. Ensure that the API server pod specification file permissions are set to, Ensure that the API server pod specification file ownership is set to, Ensure that the controller manager pod specification file permissions are set to, Ensure that the controller manager pod specification file ownership is set to, Ensure that the scheduler pod specification file permissions are set to, Ensure that the scheduler pod specification file ownership is set to, Ensure that the etcd pod specification file permissions are set to, Ensure that the etcd pod specification file ownership is set to, Ensure that the Container Network Interface file permissions are set to, Ensure that the Container Network Interface file ownership is set to, Ensure that the etcd data directory permissions are set to, Ensure that the etcd data directory ownership is set to, Ensure that the admin.conf file permissions are set to, Ensure that the admin.conf file ownership is set to, Ensure that the scheduler.conf file permissions are set to, Ensure that the scheduler.conf file ownership is set to, Ensure that the controller-manager.conf file permissions are set to, Ensure that the controller-manager.conf file ownership is set to, Ensure that the Kubernetes PKI directory and file ownership is set to, Ensure that the Kubernetes PKI certificate file permissions are set to, Ensure that the Kubernetes PKI key file permissions are set to, Ensure that the --anonymous-auth argument is set to false, Ensure that the --basic-auth-file argument is not set, Ensure that the --token-auth-file parameter is not set, Ensure that the --kubelet-https argument is set to true, Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate, Ensure that the --kubelet-certificate-authority argument is set as appropriate, Ensure that the --authorization-mode argument is not set to AlwaysAllow, Ensure that the --authorization-mode argument includes Node, Ensure that the --authorization-mode argument includes RBAC, Ensure that the admission control plugin EventRateLimit is set, Ensure that the admission control plugin AlwaysAdmit is not set, Ensure that the admission control plugin AlwaysPullImages is set, Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used, Ensure that the admission control plugin ServiceAccount is set, Ensure that the admission control plugin NamespaceLifecycle is set, Ensure that the admission control plugin PodSecurityPolicy is set, Ensure that the admission control plugin NodeRestriction is set, Ensure that the --insecure-bind-address argument is not set, Ensure that the --insecure-port argument is set to 0, Ensure that the --secure-port argument is not set to 0, Ensure that the --profiling argument is set to false, Ensure that the --audit-log-path argument is set, Ensure that the --audit-log-maxage argument is set to 30 or as appropriate, Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate, Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate, Ensure that the --request-timeout argument is set as appropriate, Ensure that the --service-account-lookup argument is set to true, Ensure that the --service-account-key-file argument is set as appropriate, Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate, Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate, Ensure that the --client-ca-file argument is set as appropriate, Ensure that the --etcd-cafile argument is set as appropriate, Ensure that the --encryption-provider-config argument is set as appropriate, Ensure that encryption providers are appropriately configured, Ensure that the API Server only makes use of Strong Cryptographic Ciphers, Ensure that the --terminated-pod-gc-threshold argument is set as appropriate, Ensure that the --use-service-account-credentials argument is set to true, Ensure that the --service-account-private-key-file argument is set as appropriate, Ensure that the --root-ca-file argument is set as appropriate, Ensure that the RotateKubeletServerCertificate argument is set to true, Ensure that the --bind-address argument is set to 127.0.0.1, Ensure that the --cert-file and --key-file arguments are set as appropriate, Ensure that the --client-cert-auth argument is set to true, Ensure that the --auto-tls argument is not set to true, Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate, Ensure that the --peer-client-cert-auth argument is set to true, Ensure that the --peer-auto-tls argument is not set to true, Ensure that a unique Certificate Authority is used for etcd, Client certificate authentication should not be used for users, Ensure that a minimal audit policy is created, Ensure that the audit policy covers key security concerns, Ensure that the kubelet service file permissions are set to, Ensure that the kubelet service file ownership is set to, Ensure that the proxy kubeconfig file permissions are set to, Ensure that the proxy kubeconfig file ownership is set to, Ensure that the kubelet.conf file permissions are set to, Ensure that the kubelet.conf file ownership is set to, Ensure that the certificate authorities file permissions are set to, Ensure that the client certificate authorities file ownership is set to, Ensure that the kubelet configuration file has permissions set to, Ensure that the kubelet configuration file ownership is set to, Ensure that the --read-only-port argument is set to 0, Ensure that the --streaming-connection-idle-timeout argument is not set to 0, Ensure that the --protect-kernel-defaults argument is set to true, Ensure that the --make-iptables-util-chains argument is set to true, Ensure that the --hostname-override argument is not set, Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture, Ensure that the --rotate-certificates argument is not set to false, Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers, Ensure that the cluster-admin role is only used where required, Minimize wildcard use in Roles and ClusterRoles, Ensure that default service accounts are not actively used, Ensure that Service Account Tokens are only mounted where necessary, Minimize the admission of privileged containers, Minimize the admission of containers wishing to share the host process ID namespace, Minimize the admission of containers wishing to share the host IPC namespace, Minimize the admission of containers wishing to share the host network namespace, Minimize the admission of containers with allowPrivilegeEscalation, Minimize the admission of root containers, Minimize the admission of containers with the NET_RAW capability, Minimize the admission of containers with added capabilities, Minimize the admission of containers with capabilities assigned, Ensure that the CNI in use supports Network Policies, Ensure that all Namespaces have Network Policies defined, Prefer using secrets as files over secrets as environment variables, Configure Image Provenance using ImagePolicyWebhook admission controller, Create administrative boundaries between resources using namespaces, Ensure that the seccomp profile is set to docker/default in your pod definitions, Apply Security Context to Your Pods and Containers.