Google Cloud Kubernetes Engine
  1. CNS Policies
  2. GCP Knowledge Base
  3. Google Cloud Kubernetes Engine

Cluster Encryption Not Desired Level

Ensure that all GKE clusters have the desired application-layer secrets encryption level.

Risk Level: Medium

Description

This plugin ensures that GKE clusters have KMS encryption enabled to encrypt application-layer secrets. Application-layer secret encryption adds an extra layer of security to all sensitive data saved in the etcd. This can be used to encrypt data in the application layer with a key controlled by Google Cloud Key Management Services. This encryption protects against attackers who obtain access to an offline copy of etcd.

About the Service

Google Cloud Kubernetes Engine:

The Google Cloud Kubernetes Engine is a Kubernetes-based service that includes a control plane, nodes that house pods, and Google Cloud services. It aids in the modernization of your programs by offering a platform for deploying, managing, and scaling containerized applications. The Google Cloud Console or kubectl can be used to interact with this Google Cloud Kubernetes Engine. To know more, read here

Impact

If your clusters do not have the desired level of encryption, it makes them vulnerable to security breaches and increases the risk of attacks. This could pose a huge threat to all the sensitive data stored in etcd if used as a backing store for the data in your cluster since it raises the chances of attackers obtaining access to the copy of your ectd and all of the data stored in it.

Steps to Reproduce

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
  4. Select the cluster you want to investigate from the list of clusters displayed and go to the Details tab of the selected cluster.
  5. Under the Security section, check the status of Application-layer secrets encryption. If it is disabled, then your cluster does not have the desired level of encryption.
  6. Repeat steps 4 and 5 for all the clusters you want to investigate in the selected project.
  7. If you have multiple projects that you want to investigate, repeat steps 2-6 for each project in your GCP console.

Steps for Remediation

The steps to make the necessary changes to increase the level of encryption for your cluster is given below.

Using GCP Console-

  1. Log In to your GCP Console.
  2. From the top navigation bar, select the GCP project you want to investigate.
  3. From the navigation panel on the left side of the console, go to Kubernetes Engine and select Clusters. You can use this link here to navigate directly if you’re already logged in.
  4. Select the cluster you want to reconfigure from the list of clusters displayed and go to the Details tab of the selected cluster.  (In case you aren’t sure which node pool needs to be configured, follow the steps to reproduce listed above to determine which to choose.)
  5. In the Security section, click on the Edit button of the Application-layer secrets encryption to edit its configuration.
  6. Click on the Enable application-layer secrets encryption checkbox to enable it.
  7. Next, select a customer-managed key from the dropdown list provided. If you do not see your key, select the Can’t see your key? Enter key resource name option and enter the resource name of your customer-managed key. (If you do not have a customer-managed key, check out the Key management section to find out how to create a new key.)


    Note: To find the resource name of the key, go to the navigation panel on the left side of the console and click to Security under the All products section, and select Key management. Select your desired key ring and from the list of keys in that particular keyring, click the actions button (three-dot icon) and select the copy resource name option.
  8. Click save changes to save the changes to the selected cluster.
  9. Repeat steps 4 to 8 for all the clusters you want to reconfigure in the selected project.
  10. If you have multiple projects, repeat steps 2 to 9 for each project in your GCP console.