This repository holds the Google Kubernetes Engine (GKE) Center for Internet Security (CIS) version 1.1 Benchmark Inspec Profile.
This is not an officially supported Google product. This code is intended to help users assess their security posture on the GKE against the CIS Benchmark. This code is not certified by CIS.
This is an initial release, mainly consisting of ported controls from the CIS for GCP 1.0.0 Benchmark.
- gcp_project_id - (Default: "", type: string) - The target GCP Project that must be specified.
Use this Cloud Shell walkthrough for a hands-on example.
#install inspec
$ gem install inspec-bin --no-document --quiet
# make sure you're authenticated to GCP
$ gcloud auth list
# acquire credentials to use with Application Default Credentials
$ gcloud auth application-default login
# scan a project with this profile, replace <YOUR_PROJECT_ID> with your project ID
$ CHEF_LICENSE=accept-no-persist inspec exec https://github.com/GoogleCloudPlatform/inspec-gke-cis-benchmark.git -t gcp:// --input gcp_project_id=<YOUR_PROJECT_ID>
...snip...
Profile Summary: 48 successful controls, 5 control failures, 7 controls skipped
Test Summary: 166 successful, 7 failures, 7 skipped