lacework-global-763
Encrypt Kubernetes Secrets using keys managed in Cloud Key Management Service (KMS) (Automated)
Description
Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customer-managed key in Cloud KMS.
Remediation
Note: Lacework does not support Autopilot mode clusters, so the remediation only considers the standard mode cluster option.
Enabling Application-layer Secrets Encryption requires several configuration items.
These include:
- A
key ring
. - A
key
. - A
Google Kubernetes Engine (GKE) service account
withCloud KMS CryptoKey Encrypter/Decrypter role
.
After you create these, you can enable Application-layer Secrets Encryption on an existing or new cluster.
Using Google Cloud Console:
To create a key:
- Go to Cloud KMS by visiting: https://console.cloud.google.com/security/kms.
- Select
Create Key Ring
. - Enter a Key ring name and the region to store the keys.
- Click
CREATE
. - Enter a Key name and appropriate rotation period within the Create key pane.
- Click
CREATE
.
To enable on a new cluster:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Click
CREATE CLUSTER
, and chooseCONFIGURE
for the Standard mode cluster. - Within the
Security
heading, underCLUSTER
, selectEncrypt secrets at the application layer
checkbox. - Select the kms key as the customer-managed key and, if prompted, grant permissions to the GKE Service account.
- Click
CREATE
.
To enable on an existing cluster:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Select the cluster to update.
- Under the
Details
pane, within theSecurity
heading, click the pencil namedApplication-layer secrets encryption
. - Enable
Encrypt secrets at the application layer
and choose a kms key. - Click
Save Changes
.
Using Command Line:
Create a key ring:
gcloud kms keyrings create <ring_name> --location <location> --project <key_project_id>
Create a key:
gcloud kms keys create <key_name> --location <location> --keyring <ring_name> --purpose encryption --project <key_project_id>
Grant the Kubernetes Engine Service Agent
service account the Cloud KMS CryptoKey Encrypter/Decrypter
role:
gcloud kms keys add-iam-policy-binding <key_name> --location <location> --keyring <ring_name> --member serviceAccount:<service_account_name> --role roles/cloudkms.cryptoKeyEncrypterDecrypter --project <key_project_id>
To create a new cluster with Application-layer Secrets Encryption
:
gcloud container clusters create <cluster_name> --cluster-version=latest --zone <zone> --database-encryption-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name> --project <cluster_project_id>
To enable on an existing cluster:
gcloud container clusters update <cluster_name> --zone <zone> --database-encryption-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name> --project <cluster_project_id>
References
https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets