Encryption providers are appropriately configured

kubernetes

Classification:

compliance

Framework:

cis-kubernetes

Control:

1.2.34

Set up the kubernetes integration.

Description

Where etcd encryption is used, appropriate providers should be configured.

Rationale

Where etcd encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the aescbc, kms, and secretbox are likely to be appropriate options.

Audit

Run the following command on the master node:

ps -ef | grep kube-apiserver

Get the EncryptionConfig file set for --encryption-provider-config argument. Verify that aescbc, kms, or secretbox is set as the encryption provider for all the desired resources.

Remediation

Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc, kms, or secretbox as the encryption provider.

Impact

None

Default value

By default, no encryption provider is set.

References

  1. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
  2. https://acotten.com/post/kube17-security
  3. https://kubernetes.io/docs/admin/kube-apiserver/
  4. https://github.com/kubernetes/features/issues/92
  5. https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#providers

CIS controls

Version 6 14.5 Encrypt At Rest Sensitive Information - Sensitive information stored on systems shall be encrypted at rest and require a secondary authentication mechanism, not integrated into the operating system, in order to access the information.

Version 7 14.8 Encrypt Sensitive Information at Rest - Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.