Enable encryption of Kubernetes secrets with Customer-Managed Keys (CMKs) for Google Kubernetes Engine (GKE) clusters in order to meet security and compliance requirements. Application-layer secrets encryption protects your Kubernetes secrets in etcd with an encryption key managed using the Cloud KMS service.
This rule resolution is part of the Conformity solution.
Application-layer secrets encryption provides an additional layer of security for sensitive data, such as Kubernetes secrets, stored in etcd. With this security feature, you can use an encryption key managed with Cloud KMS to encrypt data at the application layer and protect against attackers that gain access to an offline copy of etcd. Enabling application-layer secrets encryption for your GKE clusters is considered a security best practice for applications that store sensitive and confidential data.
Audit
To determine if application-layer secrets encryption is enabled for your Google Kubernetes Engine (GKE) clusters, perform the following actions:
Remediation / Resolution
To enable encryption of Kubernetes secrets at the application layer using Cloud KMS Customer-Managed Keys (CMKs), perform the following actions:
References
- Google Cloud Platform (GCP) Documentation
- Secrets
- Harden your cluster's security
- Encrypt secrets at the application layer
- GCP Command Line Interface (CLI) Documentation
- gcloud projects list
- gcloud container clusters list
- gcloud container clusters describe
- gcloud container clusters update
- gcloud kms keyrings create
- gcloud kms keys create
- gcloud projects add-iam-policy-binding
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Encryption for Application-Layer Secrets for GKE Clusters
Risk Level: High