5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS

Information

Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customer-managed key in Cloud KMS.

By default, GKE encrypts customer content stored at rest, including Secrets. GKE handles and manages this default encryption for you without any additional action on your part.

Application-layer Secrets Encryption provides an additional layer of security for sensitive data, such as user defined Secrets and Secrets required for the operation of the cluster, such as service account keys, which are all stored in etcd.

Using this functionality, you can use a key, that you manage in Cloud KMS, to encrypt data at the application layer. This protects against attackers in the event that they manage to gain access to etcd.

Solution

To enable Application-layer Secrets Encryption, several configuration items are required. These include:

- A key ring
- A key
- A GKE service account with Cloud KMS CryptoKey Encrypter/Decrypter role

Once these are created, Application-layer Secrets Encryption can be enabled on an existing or new cluster.

Using Google Cloud Console:

To create a key

- Go to Cloud KMS by visiting

https://console.cloud.google.com/security/kms

.
- Select CREATE KEY RING
- Enter a Key ring name and the region where the keys will be stored.
- Click CREATE
- Enter a Key name and appropriate rotation period within the Create key pane.
- Click CREATE

To enable on a new cluster

- Go to Kubernetes Engine by visiting:

https://console.cloud.google.com/kubernetes/list

.
- Click CREATE CLUSTER and choose the required cluster mode.
- Within the Security heading, under CLUSTER check Encrypt secrets at the application layer checkbox.
- Select the kms key as the customer-managed key and, if prompted, grant permissions to the GKE Service account.
- Click CREATE

To enable on an existing cluster

- Go to Kubernetes Engine by visiting:

https://console.cloud.google.com/kubernetes/list

.
- Select the cluster to be updated.
- Under the Details pane, within the Security heading, click on the pencil named Application-layer secrets encryption.
- Enable Encrypt secrets at the application layer and choose a kms key.
- Click SAVE CHANGES

Using Command Line:

To create a key:Create a key ring:

gcloud kms keyrings create <ring_name> --location <location> --project <key_project_id>

Create a key:

gcloud kms keys create <key_name> --location <location> --keyring <ring_name> --purpose encryption --project <key_project_id>

Grant the Kubernetes Engine Service Agent service account the Cloud KMS CryptoKey Encrypter/Decrypter role:

gcloud kms keys add-iam-policy-binding <key_name> --location <location> --keyring <ring_name> --member serviceAccount:<service_account_name> --role roles/cloudkms.cryptoKeyEncrypterDecrypter --project <key_project_id>

To create a new cluster with Application-layer Secrets Encryption:

gcloud container clusters create <cluster_name> --cluster-version=latest --zone <zone> --database-encryption-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name> --project <cluster_project_id>

To enable on an existing cluster:

gcloud container clusters update <cluster_name> --zone <zone> --database-encryption-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name> --project <cluster_project_id>

Impact:

To use the Cloud KMS CryptoKey to protect etcd in the cluster, the 'Kubernetes Engine Service Agent' Service account must hold the 'Cloud KMS CryptoKey Encrypter/Decrypter' role.

See Also

https://workbench.cisecurity.org/benchmarks/19166

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: GCP

Control ID: 3ca74249d285845019e945ed640c7d1ab0b764fe78ea9bec6a568b0efa64b128