Skip to main content

lacework-global-763

Encrypt Kubernetes Secrets using keys managed in Cloud Key Management Service (KMS) (Automated)

Description

Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customer-managed key in Cloud KMS.

Remediation

Note: Lacework does not support Autopilot mode clusters, so the remediation only considers the standard mode cluster option.

Enabling Application-layer Secrets Encryption requires several configuration items.

These include:

  • A key ring.
  • A key.
  • A Google Kubernetes Engine (GKE) service account with Cloud KMS CryptoKey Encrypter/Decrypter role.

After you create these, you can enable Application-layer Secrets Encryption on an existing or new cluster.

Using Google Cloud Console:

To create a key:

  1. Go to Cloud KMS by visiting: https://console.cloud.google.com/security/kms.
  2. Select Create Key Ring.
  3. Enter a Key ring name and the region to store the keys.
  4. Click CREATE.
  5. Enter a Key name and appropriate rotation period within the Create key pane.
  6. Click CREATE.

To enable on a new cluster:

  1. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
  2. Click CREATE CLUSTER, and choose CONFIGURE for the Standard mode cluster.
  3. Within the Security heading, under CLUSTER, select Encrypt secrets at the application layer checkbox.
  4. Select the kms key as the customer-managed key and, if prompted, grant permissions to the GKE Service account.
  5. Click CREATE.

To enable on an existing cluster:

  1. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
  2. Select the cluster to update.
  3. Under the Details pane, within the Security heading, click the pencil named Application-layer secrets encryption.
  4. Enable Encrypt secrets at the application layer and choose a kms key.
  5. Click Save Changes.

Using Command Line:

Create a key ring:

gcloud kms keyrings create <ring_name> --location <location> --project <key_project_id>

Create a key:

gcloud kms keys create <key_name> --location <location> --keyring <ring_name> --purpose encryption --project <key_project_id>

Grant the Kubernetes Engine Service Agent service account the Cloud KMS CryptoKey Encrypter/Decrypter role:

gcloud kms keys add-iam-policy-binding <key_name> --location <location> --keyring <ring_name> --member serviceAccount:<service_account_name> --role roles/cloudkms.cryptoKeyEncrypterDecrypter --project <key_project_id>

To create a new cluster with Application-layer Secrets Encryption:

gcloud container clusters create <cluster_name> --cluster-version=latest --zone <zone> --database-encryption-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name> --project <cluster_project_id>

To enable on an existing cluster:

gcloud container clusters update <cluster_name> --zone <zone> --database-encryption-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name> --project <cluster_project_id>

References

https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets

Last updated on