Use Customer-Managed Encryption Keys (CMEK) to encrypt node boot and dynamically-provisioned attached Google Compute Engine Persistent Disks (PDs) using keys managed within Cloud Key Management Service (Cloud KMS). Rationale: GCE persistent disks are encrypted at rest by default using envelope encryption with keys managed by Google. For additional protection, users can manage the Key Encryption Keys using Cloud KMS. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
This cannot be remediated by updating an existing cluster. You must either recreate the desired node pool or create a new cluster. Using Google Cloud Console FOR NODE BOOT DISKS: To create a new node pool: Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list Select Kubernetes clusters for which node boot disk CMEK is disabled Click ADD NODE POOL Ensure Boot disk type is 'Standard persistent disk' or 'SSD persistent disk' Select 'Enable customer-managed encryption for Boot Disk' and select the Cloud KMS encryption key you desire Click SAVE. To create a new cluster: Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list Click CREATE CLUSTER Under the 'default-pool' heading, click 'More options' In the Node pool edit window, select 'Standard persistent disk' or 'SSD Persistent Disk' as the Boot disk type Select 'Enable customer-managed encryption for Boot Disk' check box and choose the Cloud KMS encryption key you desire Configure the rest of the cluster settings as desired Click CREATE. Click Save. FOR ATTACHED DISKS: This is not possible using Google Cloud Console. Using Command Line: FOR NODE BOOT DISKS: Create a new node pool using customer-managed encryption keys for the node boot disk, of [DISK_TYPE] either pd-standard or pd-ssd: gcloud beta container node-pools create [CLUSTER_NAME] --disk-type [DISK_TYPE] --boot-disk-kms-key projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME] Create a cluster using customer-managed encryption keys for the node boot disk, of [DISK_TYPE] either pd-standard or pd-ssd: gcloud beta container clusters create [CLUSTER_NAME] --disk-type [DISK_TYPE] --boot-disk-kms-key projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME] FOR ATTACHED DISKS: Follow the instructions detailed at https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek. Impact: While GKE CMEK is in beta, encryption of dynamically-provisioned attached disks requires the use of the self-provisioned Compute Engine Persistent Disk CSI Driver v0.5.1 or higher. If you are configuring CMEK with a regional cluster, the cluster must run GKE 1.14 or higher. Default Value: Persistent disks are encrypted at rest by default, but are not encrypted using Customer-Managed Encryption Keys by default. By default, the Compute Engine Persistent Disk CSI Driver is not provisioned within the cluster.