GCP – Using custom Org Policies to enforce the CIS benchmark for GKE

As the adoption of container workloads increases, so does the need to establish and maintain a consistent, strong Kubernetes security posture. Failing to do so can have significant consequences for the risk posture of an organization. Nearly 50% of organizations experienced revenue or customer loss due to container and Kubernetes security incidents, according to the 2024 State of Kubernetes Security Report.

Org policies are your friend to help you achieve pervasive security across your cloud infrastructure. In particular, you can use custom Organization Policies to enforce many of the CIS Benchmarks proactively, ensuring that you’ve established proper guardrails for Google Kubernetes Engine (GKE) standard and autopilot in your infrastructure.

We’ve made implementing these preventative controls easier with a custom Organization Policy library, which can apply controls to GKE and other Google Cloud services including Dataproc, Cloud Storage, Network, Firewall, Cloud Run, Cloud Build, Identity and Access Management, and Compute Engine.

Importantly for GKE security, custom Organization Policies can be used to enforce compliance with the CIS Benchmark for GKE.

What is CIS Benchmark for GKE?

The CIS Benchmark is a comprehensive set of security recommendations and best practices designed to enhance the security posture of GKE clusters. It provides a list of recommendations to assess and mitigate potential vulnerabilities, covering areas such as authentication and authorization, network security, and IAM. 

Using the CIS benchmark can help with two crucial tasks: reducing the risk of cyberattacks and ensuring compliance with industry standards. Custom Organization Policy supports the Cluster and Nodepool resources and many CIS recommendations for GKE can be enforced.

Achieving compliance with custom organization policies

Custom Organization Policies can help you enforce your own granular security and compliance controls. They allow you to define constraints and policies using  Common Expression Language (CEL) to restrict specific configurations and actions within your cloud environment.

Using custom Organization Policies can ensure that new and existing GKE clusters adhere to security standards. These policies act as preventative controls, applied at the Google Cloud level, and can be integrated with any provisioning tool. Doing so can help provide a consistent and automated approach to security enforcement. 

Custom Organization Policies also support safe rollout features including dry run and simulation, which allow organizations to test and ensure policy changes don’t disrupt operations before enforcing them in a production environment.

Some of the critical CIS recommendations for GKE you can enforce using custom Organization Policies include: 

• Making sure only private clusters using private endpoints and nodes can be provisioned.

• Nodes are configured with Secure Boot enabled.

• Container-Optimized OS is used for nodes.

Here are some examples of how to implement custom Organization Policies for GKE:

Enforcing usage of private clusters

Ensuring nodes are configured to use Container-Optimized OS

Custom Organization Policies can help organizations to incorporate security at the infrastructure’s base layer. This proactive approach prevents misconfigurations and vulnerabilities much earlier, reducing security risks and remediation costs. 

Simplify onboarding with custom organization policy library

To simplify the adoption of custom Organization Policies, we have developed a library of policies accessible on the Google Cloud Professional Services GitHub public repository. The library already provides around 80 ready-to-use policies that translate security and compliance recommendations into actionable controls for a Google Cloud environment. 

The library includes recommendations from the CIS Benchmark for GKE described above, with more than 30 controls already available. With this library, organizations can quickly and efficiently adopt security best practices using custom Organization Policies. Here are some key features and benefits of this library:

• The library provides a starting point to gain inspiration from and can help make it easy to add policies to meet security and compliance standards. Policies can further be customized to meet your unique needs.

• These policies can be integrated with your provisioning tools, enabling automated enforcement of security best practices. Integration with both gcloud and Terraform by using Cloud Foundation Fabric modules. 

• The library will continue to grow to include new policies and enhancements based on the new services that will be compatible with custom organization policies. They already supports more than 30 Google Cloud services

How to get started

By using custom organization policies, you can establish a robust security posture and mitigate potential vulnerabilities more easily than before. The custom Organization Policy library available on GitHub provides a great start for any organization to implement compliance and security controls for both GKE Standard and Autopilot, but also for many other services. 

We encourage you to explore the GitHub policy library repository and use the power of custom Organization Policies to enforce security controls in your organization.