Detections
Analytics

Ensure application-layer secrets are encrypted for Google Container Cluster

MEDIUM

Description

Google Kubernetes Engine (GKE) has the capability to encrypt application-layer secrets which can help keep them secure. When utilizing secrets, it is best practice not to pass them to containers in plain text.

Remediation

In GCP Console -

  1. Open the GCP Portal and Go to the Google Kubernetes Engine (GKE).
  2. Select the cluster you want to edit.
  3. Click details,Under Security in Application-layer secrets encryption click on edit Application-layer secrets encryption.
  4. Select the Encrypt secrets at the application layer checkbox.
  5. Click Save Changes.

In Terraform -

  1. In the google_container_cluster resource, set the attribute database_encryption.state to enabled.

References:
https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#database_encryption

Policy Details

Rule Reference ID: AC_GCP_0243
CSP: GCP
Remediation Available: Yes
Domain: Infrastructure Security
Resource: google_container_cluster
Resource Category: Compute
Resource Type: Google Kubernetes Engine (GKE)

Frameworks