lacework-global-778
Enable Customer-Managed Encryption Keys (CMEK) for Google Kubernetes Engine (GKE) Persistent Disks (PD) (Automated)
Description
Use Customer-Managed Encryption Keys (CMEK) to encrypt node boot and dynamically provisioned attached Google Compute Engine Persistent Disks (PDs) using keys managed within Cloud Key Management Service (KMS).
Remediation
Note: Lacework does not support Autopilot mode clusters, so the remediation only considers the standard mode cluster option.
It is not possible to remediate this by updating an existing cluster. You must either recreate the node pool or create a new cluster.
Using Google Cloud Console:
For node boot disks:
To create a new node pool:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Select Kubernetes clusters with node boot disk CMEK disabled.
- Click
Add Node Pool
. - In the
Nodes
section, undermachine configuration
, ensureBoot disk type
isStandard persistent disk
orSolid-State Drive (SSD) persistent disk
. - Select
Enable customer-managed encryption for Boot Disk
and select the Cloud KMS encryption key to use. - Click
CREATE
.
To create a new cluster:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Click
CREATE
and clickCONFIGURE
under Standard mode cluster. - Under
Node Pools
, expand thedefault-pool
list and clickNodes
. - In the
Configure node settings
pane, selectStandard persistent disk
orSSD Persistent Disk
as the Boot disk type. - Select
Enable customer-managed encryption for Boot Disk
checkbox and choose the Cloud KMS encryption key to use. - Configure the rest of the cluster settings as required.
- Click
CREATE
.
For attached disks:
This is not possible using Google Cloud Console.
Using Command Line:
For node boot disks:
Create a new node pool using customer-managed encryption keys for the node boot disk, of <disk_type>
either pd-standard
or pd-ssd
:
gcloud container node-pools create <cluster_name> --disk-type <disk_type> --boot-disk-kms-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name>
Create a cluster using customer-managed encryption keys for the node boot disk, of <disk_type>
either pd-standard
or pd-ssd
:
gcloud container clusters create <cluster_name> --disk-type <disk_type> --boot-disk-kms-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/<key_name>
For attached disks:
Follow the instructions detailed at: https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek.
References
https://cloud.google.com/kubernetes-engine/docs/how-to/using-cmek
https://cloud.google.com/compute/docs/disks/customer-managed-encryption
https://cloud.google.com/security/encryption-at-rest/default-encryption
https://cloud.google.com/kubernetes-engine/docs/concepts/persistent-volumes
https://cloud.google.com/sdk/gcloud/reference/container/node-pools/create