Incoming connections should use SSL while making connections with Cloud SQL database instances.
Stackdriver is the default logging solution for clusters deployed on GKE. GKE should have logging enabled so that access can be audited.
Ensure that Cloud SQL database instances is not publicly accessible to lower the attack surface.
Node auto-upgrade keeps nodes up-to-date with the latest cluster master version when your master is updated on your behalf, and it should enabled.
DNSSEC is a feature of the Domain Name System that authenticates responses to domain name lookups. DNSSEC prevents attackers from manipulating or poisoning the responses to DNS requests. We recommend ensuring that DNSSEC is enabled in any public DNS zone, the top-level domain registry, and the local DNS resolvers.