- ZCSPM Help
- Supported Security Policies & Benchmarks
- GCP Security Policies
ZCSPM
GCP Security Policies
ZCSPM offers a total of 296 security policies for GCP protecting about 30 services:
GCP Core Services
- App EngineCloseCategory NamePolicy TitleGCP - ComputeEnsure that App Engine applications enforce HTTPS connectionsto ofPage of
- BigQueryCloseCategory NamePolicy TitleGCP - Data AnalyticsEnsure that Customer-Managed Encryption Key (CMEK) is used for BigQuery Dataset Tables encryptionGCP - Data AnalyticsEnsure that retention period is set on BigQuery tablesGCP - Data AnalyticsEnsure that BigQuery datasets are not anonymously or publicly accessibleGCP - Storage and DatabaseEnsure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Setsto ofPage of
- Cloud BigtableCloseCategory NamePolicy TitleGCP - Data AnalyticsEnsure that Cluster replication feature is enabled for Bigtable InstanceGCP - Data AnalyticsEnsure that Backup is configured with expiration date for Bigtable TableGCP - Storage and DatabaseEnsure that Bigtable Instance Cluster is encrypted using Customer Managed Encryption Keyto ofPage of
- Cloud Data FusionCloseCategory NamePolicy TitleGCP - Data AnalyticsEnsure that Stackdriver Logging is enabled for Data Fusion instancesGCP - Data AnalyticsEnsure that Data Fusion Instances are not launched within default VPC NetworkGCP - Data AnalyticsEnsure that Stackdriver monitoring is enabled for Data Fusion instancesGCP - NetworkingEnsure that Data Fusion instances are not using default Dataproc serviceGCP - Storage and DatabaseEnsure that Data Fusion instances do not have public IP addressesto ofPage of
- Cloud DNSCloseCategory NamePolicy TitleGCP - Logging and MonitoringEnsure that Cloud DNS logging is enabled for all VPC networksGCP - NetworkingEnsure that DNSSEC is enabled for Cloud DNSGCP - NetworkingEnsure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSECGCP - NetworkingEnsure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSECto ofPage of
- Cloud FunctionsCloseCategory NamePolicy TitleGCP - ComputeEnsure that Cloud Function is not using default service accountGCP - ComputeEnsure that ingress setting is not set to 'Allow all traffic' for Cloud FunctionGCP - ComputeEnsure that access to VPC- PRIVATE RANGES ONLY is used for your Cloud FunctionGCP - ComputeEnsure that all the deployed Cloud Functions are in 'active' modeGCP - ComputeEnsure that 'Require HTTPS' is selected for HTTP Cloud FunctionsGCP - Identity and Access ManagementEnsure that Cloud Functions Invoker role is not assigned to 'allUsers' for Cloud FunctionGCP - Identity and Access ManagementEnsure that Cloud Functions Viewer role is not assigned to 'allUsers' for Cloud FunctionGCP - Identity and Access ManagementEnsure that Cloud Functions Developer role is not assigned to 'allUsers' for Cloud FunctionGCP - Identity and Access ManagementEnsure that Cloud Functions Admin role is not assigned to 'allUsers' for Cloud FunctionGCP - NetworkingEnsure that 'Allow internal traffic and traffic from Cloud Load Balancing' is selected for Cloud Function1 to 10 of 10Page 1 of 1
- Cloud Key Management ServiceCloseCategory NamePolicy TitleGCP - Azure - Key ManagementEnsure that primary key version should be enabled for Symmetric KeyGCP - Azure - Key ManagementEnsure that atleast one key version should be enabled for Asymmetric KeyGCP - Identity and Access ManagementEnsure that Cloud KMS cryptokeys are not anonymously or publicly accessibleGCP - Identity and Access ManagementEnsure KMS encryption keys are rotated within a period of 90 daysto ofPage of
- Cloud LoggingCloseCategory NamePolicy TitleGCP - Logging and MonitoringEnsure log metric filter and alerts exist for project ownership assignments/changesGCP - Logging and MonitoringEnsure that the log metric filter and alerts exist for Audit Configuration changesGCP - Logging and MonitoringEnsure that the log metric filter and alerts exist for Custom Role changesGCP - Logging and MonitoringEnsure that the log metric filter and alerts exist for VPC Network Firewall rule changesGCP - Logging and MonitoringEnsure that the log metric filter and alerts exist for VPC network route changesGCP - Logging and MonitoringEnsure that the log metric filter and alerts exist for VPC network changesGCP - Logging and MonitoringEnsure that the log metric filter and alerts exist for Cloud Storage IAM permission changesGCP - Logging and MonitoringEnsure that the log metric filter and alerts exist for SQL instance configuration changesGCP - Logging and MonitoringEnsure that sinks are configured for all log entriesGCP - Logging and MonitoringEnsure that retention policies on log buckets are configured using Bucket Lockto ofPage of
- Cloud OS ConfigCloseCategory NamePolicy TitleGCP - ComputeEnsure that OS Patch Deployment configured with a recurring scheduleGCP - ComputeEnsure that OS Patch Deployment not targeted to all VMsGCP - ComputeEnsure that security patches for Red Hat Enterprise Linux (RHEL) and Centos are configured in Patch DeploymentGCP - ComputeEnsure that security patches for Windows are configured in Patch DeploymentGCP - ComputeEnsure that reboot is enabled for OS Patch DeploymentGCP - ComputeEnsure that security patches for SUSE Linux Enterprise Server (SLES) are configured in Patch Deploymentto ofPage of
- Cloud RunCloseCategory NamePolicy TitleGCP - ComputeEnsure that Cloud Run revision is not configured to use the default service accountGCP - ComputeEnsure that Cloud Run Service uses Customer-managed encryption key (CMEK) for encryptionGCP - ComputeEnsure that HTTP/2 connections for cloud run revision is enabledGCP - ComputeEnsure that 'Verify container deployment with Binary Authorization' configuration is enbaled for Cloud Run ServiceGCP - ComputeEnsure that ingress setting is not set to 'Allow all traffic' for Cloud Run ServiceGCP - Compute (PaaS and Serverless)Ensure that Secret is used for Cloud Run RevisionsGCP - NetworkingEnsure that 'Allow internal traffic and traffic from Cloud Load Balancing' configuration is enabled for Cloud Run Serviceto ofPage of
- Cloud SpannerCloseCategory NamePolicy TitleGCP - Identity and Access ManagementEnsure that Cloud Spanner Database is encrypted using Customer Managed Encryption KeyGCP - NetworkingEnsure that Cloud Spanner Database Backup is encrypted using Customer Managed Encryption KeyGCP - Storage and DatabaseEnsure that Backup is configured with expiration date for Cloud Spanner DatabaseGCP - Storage and DatabaseEnsure that Cloud Spanner Instance is deployed with multi-region configurationto ofPage of
- Cloud SQLCloseCategory Name 1Policy TitleGCP - Business ContinuityEnsure that Cloud SQL Mysql instances have 'point-in-time recovery' enabledGCP - Business ContinuityEnsure that Cloud SQL PostgreSQL instances have 'point-in-time recovery' enabledGCP - ComputeEnsure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'GCP - Logging and MonitoringEnsure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'GCP - Logging and MonitoringEnsure that Query Insights are enabled for Cloud SQL PostgreSQL instanceGCP - Logging and MonitoringEnsure that 'pgaudit.log_catalog' database flag for Cloud SQL PostgreSQL instance is set to 'off'GCP - Logging and MonitoringEnsure that 'Store client IP addresses' is enabled for Cloud SQL PostgreSQL instanceGCP - Logging and MonitoringEnsure that 'Store application tags' is enabled for Cloud SQL PostgreSQL instanceGCP - Storage and DatabaseEnsure that a MySQL database instance does not allow anyone to connect with administrative privilegesGCP - Storage and DatabaseEnsure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'1 to 10 of 46Page 1 of 5
- Cloud StorageCloseCategory NamePolicy TitleGCP - Storage and DatabaseEnsure that Cloud Storage bucket is not anonymously or publicly accessibleGCP - Storage and DatabaseEnsure that Cloud Storage buckets have uniform bucket-level access enabledGCP - Storage and DatabaseEnsure that Storage Buckets are deployed in multi-regionGCP - Storage and DatabaseEnsure that Storage Bucket is encrypted with Customer-Managed Encryption KeyGCP - Storage and DatabaseEnsures that object versioning is enabled on Storage Bucketsto ofPage of
- Compute Engine - Backend ServiceCloseCategory Name 1Policy TitleGCP - ComputeEnsure that static contents are cached for Backend BucketGCP - ComputeEnsure that 'stale content' serving is set to 1 day period for Backend BucketGCP - NetworkingEnsure that signed URLs are in use for global HTTP(S) load balancer Backend ServiceGCP - NetworkingEnsure logging and monitoring is enabled for each global HTTPS load balancer Backend ServiceGCP - NetworkingEnsure that Cloud Armor security policy is configured for each Backend Service of global HTTP(S) load balancerGCP - NetworkingEnsure cloud CDN is enabled for global HTTP(S) load balancer Backend Serviceto ofPage of
- Compute Engine - DiskCloseCategory NamePolicy TitleGCP - ComputeEnsure that Compute Disk is encrypted with Customer-Supplied Encryption keyGCP - ComputeEnsure that Compute Disks are attached with 'Snapshot Schedule' for automated backupsto ofPage of
- Compute Engine - FirewallCloseCategory NamePolicy TitleGCP - NetworkingEnsure that SSH access is restricted from the internetGCP - NetworkingEnsure that RDP access is restricted from the InternetGCP - NetworkingEnsure that Firewall rules should not allow connections from all IP addressesGCP - NetworkingEnsure that logging should be enabled on Firewall RuleGCP - NetworkingEnsure that no Firewall Rules allows unrestricted ingress access to TCP port 23 (Telnet)GCP - NetworkingEnsure that no Firewall Rules allows unrestricted ingress access to TCP port 25 (SMTP)GCP - NetworkingEnsure that no Firewall Rules allows unrestricted ingress access to TCP and UDP port 53 (DNS)GCP - NetworkingEnsure that no Firewall Rules allows unrestricted ingress access to TCP port 139 and UDP ports 137 and 138 (NetBIOS)GCP - NetworkingEnsure that no Firewall Rules allows unrestricted ingress access to TCP port 4333 or 3306 (MySQL)GCP - NetworkingEnsure that no Firewall Rules allows unrestricted ingress access to TCP port 1521 (Oracle)1 to 10 of 54Page 1 of 6
- Compute Engine - Global ForwardingCloseCategory NamePolicy TitleGCP - ComputeEnsure that global forwarding rule is created with reserved IP addressto ofPage of
- Compute Engine - Health CheckCloseCategory NamePolicy TitleGCP - ComputeEnsure that Health Checks for autohealing in managed instance groups have unhealthy-threshold value more than 1GCP - Logging and MonitoringEnsure that Cloud Logging is enabled for Compute Health Checkto ofPage of
- Compute Engine - ImageCloseCategory NamePolicy TitleGCP - ComputeEnsure that Compute Image is encrypted with either Customer-Managed or Customer-Supplied Encryption keyGCP - ComputeEnsure that Compute Image is not publicly accessibleto ofPage of
- Compute Engine - InstanceCloseCategory NamePolicy TitleGCP - ComputeEnsure that instances are not configured to use the default service account with full access to all Cloud APIsGCP - ComputeEnsure that instances are not configured to use the default service accountGCP - ComputeEnsure oslogin is enabled for a ProjectGCP - ComputeEnsure "Block Project-wide SSH keys" is enabled for VM instancesGCP - ComputeEnsure that IP forwarding is not enabled on InstancesGCP - ComputeEnsure "Enable connecting to serial ports" is not enabled for VM InstanceGCP - ComputeEnsure Compute instances are launched with Shielded VM enabledGCP - ComputeEnsure VM disks for critical VMs are encrypted with Customer-Supplied Encryption KeysGCP - ComputeEnsure that Compute instances do not have public IP addressesGCP - ComputeEnsure that deletion protection is enabled for VM Instances1 to 10 of 13Page 1 of 2
- Compute Engine - Instance GroupCloseCategory NamePolicy TitleGCP - ComputeEnsure that Instance Groups have Health checks definedGCP - ComputeEnsure that instance groups have autoscale enabled for high availabilityto ofPage of
- Compute Engine - Instance TemplateCloseCategory NamePolicy TitleGCP - ComputeEnsure that Instance Templates are configured with Shielded VMGCP - ComputeEnsure that “Block Project-wide SSH keys” is enabled for Instance TemplatesGCP - ComputeEnsure that IP forwarding is not enabled on Instance TemplatesGCP - ComputeEnsure "Enable connecting to serial ports" is not enabled for Instance TemplatesGCP - ComputeEnsure that Instance Templates are not launched within default VPCGCP - ComputeEnsure that Instance Templates do not have Public IP AddressesGCP - Compute (PaaS and Serverless)Ensure that Boot disk for Instance Templates are encrypted with Customer-Managed Encryption KeysGCP - Compute (PaaS and Serverless)Ensure that Instance Templates are not configured to use the default service accountGCP - Data in TransitEnsure that Instance Templates have Confidential Computing enabledto ofPage of
- Compute Engine - Forwarding RuleCloseCategory NamePolicy TitleGCP - ComputeEnsure that regional forwarding rule is created with reserved IP addressto ofPage of
- Compute Engine- RouteCloseCategory NamePolicy TitleGCP - NetworkingEnsure that the Route has network tagto ofPage of
- Compute Engine - RouterCloseCategory NamePolicy TitleGCP - Identity and Access ManagementEnsure that Cloud Router is created within non-default VPC Networkto ofPage of
- Compute Engine - Security PolicyCloseCategory NamePolicy TitleGCP - NetworkingEnsure that no Cloud Armor Policy allows unrestricted access to internetGCP - NetworkingEnsure that Adaptive protection is enabled for Cloud Armor Policyto ofPage of
- Compute Engine - SnapshotCloseCategory NamePolicy TitleGCP - ComputeEnsure that Compute Snapshot is created within multi-regionto ofPage of
- Compute Engine - SSL PolicyCloseCategory NamePolicy TitleGCP - ComputeEnsure that Restriced profile is selected for SSL PolicyGCP - ComputeEnsure that the latest TLS version is in use for SSL Policyto ofPage of
- Compute Engine - SubnetworkCloseCategory NamePolicy TitleGCP - NetworkingEnsure that VPC Flow Logs is enabled for every subnet in a VPC Networkto ofPage of
- Compute Engine - Target PoolCloseCategory NamePolicy TitleGCP - ComputeEnsure that Health Check is configured for Target PoolGCP - ComputeEnsure that 'session affinity' is configured for Target Poolto ofPage of
- Compute Engine - Target HTTPS ProxyCloseCategory NamePolicy TitleGCP - ComputeEnsure that HTTPs Target Proxy configured with Google-managed SSL certificateGCP - ComputeEnsure no HTTPS proxy load balancers permit SSL policies with weak cipher suitesto ofPage of
- Compute Engine - Target SSL ProxyCloseCategory NamePolicy TitleGCP - ComputeEnsure that SSL Target Proxy configured with Google-managed SSL certificateGCP - ComputeEnsure no SSL proxy load balancers permit SSL policies with weak cipher suitesto ofPage of
- Compute Engine - TargetVpn GatewayCloseCategory NamePolicy TitleGCP - Data AnalyticsEnsure that Classic VPN Gateway is not created within a default VPC Networkto ofPage of
- Compute Engine - Virtual Private Cloud (VPC)CloseCategory NamePolicy TitleGCP - NetworkingEnsure that the default network does not exist in a projectGCP - NetworkingEnsure legacy networks do not exist for a projectto ofPage of
- Compute Engine - Vpn GatewayCloseCategory NamePolicy TitleGCP - Data AnalyticsEnsure that High-availability VPN Gateway is not created within default VPC Networkto ofPage of
- Container RegistryCloseCategory NamePolicy TitleGCP - Storage and DatabaseEnsure that vulnerability scanning is enabled for Container Registryto ofPage of
- DataprocCloseCategory NamePolicy TitleGCP - Data AnalyticsEnsure that Dataproc Cluster is encrypted using Customer-Supplied Encryption KeysGCP - Data AnalyticsEnsure that autoscaling policy is configured for Dataproc ClustersGCP - Data AnalyticsEnsure that Dataproc Cluster is launched in High Availability modeGCP - Data AnalyticsEnsure that Dataproc Cluster is not launched within default VPC NetworkGCP - Data AnalyticsEnsure that Admin role is not assigned to Default Service Account for Dataproc ClusterGCP - Data AnalyticsEnsure that Editor role is not assigned to Default Service Account for Dataproc ClusterGCP - Data AnalyticsEnsure that Dataproc jobs will restart on failureGCP - Data AnalyticsEnsure that Dataproc Cluster Nodes have Shielded VM enabledGCP - Data AnalyticsEnsure that OS Login is enabled while creating a Dataproc clusterGCP - Data AnalyticsEnsure that Kerberos and Hadoop Secure Mode for a cluster are enabled1 to 10 of 14Page 1 of 2
- FilestoreCloseCategory NamePolicy TitleGCP - Data AnalyticsEnsure that a Filestore instance does not grants root level read and write access to all clients in a VPC networkGCP - Data AnalyticsEnsure that Filestore Instance are not launched within default VPC Networkto ofPage of
- Google Kubernetes EngineCloseCategory Name 1Policy TitleGCP - Kubernetes and ContainerEnsure 'Automatic node repair' is enabled for Kubernetes ClustersGCP - Kubernetes and ContainerEnsure Automatic node upgrades is enabled on Kubernetes Engine Clusters nodesGCP - Kubernetes and ContainerEnsure Legacy Authorization is set to Disabled on Kubernetes Engine ClustersGCP - Kubernetes and ContainerEnsure default Service account is not used for Project access in Kubernetes ClustersGCP - Kubernetes and ContainerEnsure Kubernetes Cluster is created with Alias IP ranges enabledGCP - Kubernetes and ContainerEnsure Kubernetes Cluster is created with Private cluster enabledGCP - Kubernetes and ContainerEnsure Master authorized networks is set to Enabled on Kubernetes Engine ClustersGCP - Kubernetes and ContainerEnsure Network policy is enabled on Kubernetes Engine ClustersGCP - Kubernetes and ContainerEnsure Private Google Access is set on Kubernetes Engine Cluster SubnetsGCP - Kubernetes and ContainerEnsure GKE Clusters use specific purpose-designed networks instead of the default network1 to 10 of 22Page 1 of 3
- Identity and Access ManagementCloseCategory Name 1Policy TitleGCP - Identity and Access ManagementEnsure that Service Account has no Admin privilegesGCP - Identity and Access ManagementEnsure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project levelGCP - Identity and Access ManagementEnsure that Separation of duties is enforced while assigning service account related roles to usersGCP - Identity and Access ManagementEnsure that Separation of duties is enforced while assigning KMS related roles to usersGCP - Identity and Access ManagementEnsure that corporate login credentials are usedGCP - Identity and Access ManagementEnsure that multi-factor authentication is enabled for all non-service accountsGCP - Identity and Access ManagementEnsure that Security Key Enforcement is enabled for all admin accountsGCP - Identity and Access ManagementEnsure API keys are not created for a projectGCP - Identity and Access ManagementEnsure API keys are restricted to use by only specified Hosts and AppsGCP - Identity and Access ManagementEnsure API keys are restricted to only APIs that application needs access1 to 10 of 16Page 1 of 2
- Memory StoreCloseCategory NamePolicy TitleGCP - Data in TransitEnsure that in-transit encryption is enabled for Redis instanceGCP - NetworkingEnsure that default VPC Network is not in use for Memorystore Memcached InstanceGCP - Storage and DatabaseEnsure that 'Automatically distribute' or multiple zones are selected for Memorystore Memcached InstanceGCP - Storage and DatabaseEnsure that 'track_sizes' configuration for Memorystore Memcached Instance is set to 'false'GCP - Storage and DatabaseEnsure that 'maxconns_fast' configuration for Memorystore Memcached Instance is set to 'false'GCP - Storage and DatabaseEnsure that Standard Tier is selected for Redis instanceGCP - Storage and DatabaseEnsure that Enable AUTH is check marked for Redis instanceto ofPage of
- Managed Service for Microsoft Active DirectoryCloseCategory NamePolicy TitleGCP - Identity and Access ManagementEnsure that Forest trust type is used when creating a relationship trust with Active directoryGCP - Identity and Access ManagementEnsure that Selective authentication is enabled on outbound trusts in the resource forest of Active directoryGCP - Identity and Access ManagementEnsure that Forest trust type is used when creating a relationship trust with Active directoryto ofPage of
- Organization PolicyCloseCategory NamePolicy TitleGCP - GovernanceEnsure that 'Disable Source Code Download' constraint is set to enforceGCP - GovernanceEnsure that 'Require VPC Connector (Cloud Functions)' constraint is set to enforceGCP - GovernanceEnsure that 'Disable Guest Attributes of Compute Engine metadata' constraint is set to enforceGCP - GovernanceEnsure that 'Disable Internet Network Endpoint Groups' constraint is set to enforceGCP - GovernanceEnsure that 'Disable VM nested virtualization' constraint is set to enforceGCP - GovernanceEnsure that 'Skip default network creation' constraint is set to enforceGCP - GovernanceEnsure that 'Disable Cloud Logging' constraint is set to enforceGCP - GovernanceEnsure that 'Disable Workload Identity Cluster Creation' constraint is set to enforceGCP - GovernanceEnsure that 'Restrict shared VPC project lien removal' constraint is set to enforceGCP - GovernanceEnsure that 'Disable Automatic IAM Grants for Default Service Accounts' constraint is set to enforceGCP - GovernanceEnsure that 'Google Cloud Platform - Detailed Audit Logging Mode' constraint is set to enforceto ofPage of
- Pub/Sub TopicCloseCategory NamePolicy TitleGCP - Data AnalyticsEnsure that Pub/Sub Topic is encrypted using Customer-Managed Encryption Key (CMEK)GCP - GovernanceEnsure that Pub/Sub Subscription is configured with an exponential backoff retry policyGCP - GovernanceEnsure that Cloud PubSub Topics are allowed to store messages in any regionGCP - GovernanceEnsure that 'Retain acknowledged messages' is enabled for Pub/Sub Pull SubscriptionsGCP - GovernanceEnsure that 'Dead letter topic' should not be configured as source topic in Pub/Sub SubscriptionGCP - Identity and Access ManagementEnsure that authentication is enabled for Pub/Sub Push SubscriptionsGCP - Identity and Access ManagementEnsure that 'allUsers' is not allowed to publish to Pub/Sub TopicGCP - Identity and Access ManagementEnsure that Pub/Sub Topic is not exposed to everyoneGCP - Identity and Access ManagementEnsure that 'allUsers' is not allowed to subscribe to Pub/Sub TopicGCP - Identity and Access ManagementEnsure that 'allUsers' is not allowed to edit Pub/Sub TopicGCP - Identity and Access ManagementEnsure that Admin/Owner role is not assigned to 'allUsers' for Pub/Sub Topicto ofPage of
- Resource ManagerCloseCategory NamePolicy TitleGCP - ComputeEnsure that GCP Project is protected from accidental deletionGCP - Identity and Access ManagementEnsure that editor role is not assigned to Compute Engine Default Service AccountGCP - Identity and Access ManagementEnsure that editor role is not assigned to App Engine Default Service Accountto ofPage of
Kubernetes
ZCSPM offers the following security policies for Kubernetes deployed on Compute Engine instances and Kubernetes worker nodes:
- Kubernetes (worker nodes)CloseCategory NamePolicy TitleKubernetes - KubeletGKE - Ensure that the --authorization-mode argument is not set to AlwaysAllow for KubeletKubernetes - KubeletGKE - Ensure that the --anonymous-auth argument is set to falseKubernetes - KubeletGKE - Ensure that the --read-only-port argument is set to 0Kubernetes - KubeletGKE - Ensure that the --client-ca-file argument is set as appropriate for KubeletKubernetes - KubeletGKE - Ensure that the --protect-kernel-defaults argument is set to trueKubernetes - KubeletGKE - Ensure that the --streaming-connection-idle-timeout argument is not set to 0Kubernetes - KubeletGKE - Ensure that the --hostname-override argument is not setKubernetes - KubeletGKE - Ensure that the --make-iptables-util-chains argument is set to trueKubernetes - KubeletGKE - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate for KubeletKubernetes - KubeletGKE - Ensure that the RotateKubeletServerCertificate argument is set to true for Kubelet ServerKubernetes - KubeletGKE - Ensure that the --rotate-certificates argument is not set to falseto ofPage of