Detections
Analytics

CNTR-K8-001162 - Kubernetes Secrets must be encrypted at rest.

Information

Kubernetes Secrets may store sensitive information such as passwords, tokens, and keys. These values are stored in the etcd database used by Kubernetes unencrypted. To protect these Secrets at rest, these values must be encrypted.

Solution

Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node.

Set the value of '--encryption-provider-config' to the path to the encryption config.

The encryption config must specify the Secret's resource and provider. Below is an example:
{
 'kind': 'EncryptionConfiguration',
 'apiVersion': 'apiserver.config.k8s.io/v1',
 'resources': [
 {
 'resources': [
 'secrets'
 ],
 'providers': [
 {
 'aescbc': {
 'keys': [
 {
 'name': 'aescbckey',
 'secret': 'xxxxxxxxxxxxxxxxxxx'
 }
 ]
 }
 },
 {
 'identity': {}
 }
 ]
 }
 ]
}

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Kubernetes_V2R5_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|I, CCI|CCI-000213, Rule-ID|SV-274882r1137640_rule, STIG-ID|CNTR-K8-001162, Vuln-ID|V-274882

Plugin: Unix

Control ID: 8f5c37fcdd3b0ad8e88d1e10b7e6a93ee18ed6ddf5af71f580b2452e627ae3ed