Encryption provider config is not defined
This product is not supported for your selected
Datadog site. (
).
Id: cbd2db69-0b21-4c14-8a40-7710a50571a9
Cloud Provider: k8s
Platform: Kubernetes
Severity: Medium
Category: Encryption
Learn More
Description
When kube-apiserver
is used, the --encryption-provider-config
flag should be set, and the referenced encryption configuration file should correctly configure encryption providers. This rule checks containers
and initContainers
for kube-apiserver
command invocations and reports when the --encryption-provider-config
flag is not present. Missing this flag and a valid encryption config can result in secrets and other sensitive data being stored unencrypted at rest.
Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: ["--encryption-provider-config=/path/to/config/file.yaml"]
restartPolicy: OnFailure
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver","--encryption-provider-config=/path/to/config/file.yaml"]
args: []
restartPolicy: OnFailure
Non-Compliant Code Examples
apiVersion: v1
kind: Pod
metadata:
name: command-demo
labels:
purpose: demonstrate-command
spec:
containers:
- name: command-demo-container
image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
command: ["kube-apiserver"]
args: []
restartPolicy: OnFailure