Use Cloud KMS Customer-Managed Keys (CMKs) to enable application-layer secrets encryption for your Google Kubernetes Engine (GKE) clusters in order to meet security and compliance requirements. Application-layer secrets encryption protects your Kubernetes secrets in etcd with an encryption key managed using Cloud KMS service.
Application-layer secrets encryption provides an additional layer of security for sensitive data, such as Kubernetes secrets, stored in etcd. With this feature, you can use an encryption key managed with Cloud KMS to encrypt data at the application layer and protect against attackers that gain access to an offline copy of etcd. Enabling application-layer secrets encryption for your GKE clusters is considered a security best practice for applications that store sensitive and confidential data.
To determine if your Google Kubernetes Engine (GKE) clusters are configured with application-layer secrets encryption, perform the following actions:
Remediation / Resolution
To enable application-layer secrets encryption for your Google Kubernetes Engine (GKE) clusters using Cloud KMS Customer-Managed Keys, perform the following actions:
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Application-Layer Secrets Encryption for GKE Clusters
Risk level: High