Profile applicability: Level 2
Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customer-managed
key in Cloud KMS.
By default, GKE encrypts customer content stored at rest, including Secrets. GKE handles
and manages this default encryption for you without any additional action on your
part.
Application-layer Secrets Encryption provides an additional layer of security for
sensitive data, such as user defined Secrets and Secrets required for the operation
of the cluster, such as service account keys, which are all stored in etcd.
Using this functionality, you can use a key, that you manage in Cloud KMS, to encrypt
data at the application layer. This protects against attackers in the event that they
manage to gain access to etcd.
 |
NoteBy default, Application-layer Secrets Encryption is disabled.
|
Impact
To use the Cloud KMS CryptoKey to protect etcd in the cluster, the 'Kubernetes Engine
Service Agent' Service account must hold the 'Cloud KMS CryptoKey Encrypter/Decrypter'
role.
Audit
Using Google Cloud Console:
- Go to Kubernetes Engine website.
- From the list of clusters, click on each cluster to bring up the Details pane, and ensure Application-layer Secrets Encryption is set to 'Enabled'.
Using Command line:
gcloud container clusters describe $CLUSTER_NAME --zone $COMPUTE_ZONE -- format json | jq '.databaseEncryption'
If configured correctly, the output from the command returns a response containing
the following detail:
keyName=projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/
cryptoKeys/<key_name>]
state=ENCRYPTED
{
"currentState": "CURRENT_STATE_ENCRYPTED",
"keyName": "projects/<key_project_id>/locations/us-
central1/keyRings/<ring_name>/cryptoKeys/<key_name>",
"state": "ENCRYPTED"
}
Remediation
To enable Application-layer Secrets Encryption, several configuration items are required.
These include:
- A key ring
- A key
- A GKE service account with Cloud KMS CryptoKey Encrypter/Decrypter role
Once these are created, Application-layer Secrets Encryption can be enabled on an
existing or new cluster.
Using Google Cloud Console:
To create a key:
- Go to the Cloud KMS website.
- Select
CREATE KEY RING. - Enter a Key ring name and the region where the keys will be stored.
- Click
CREATE. - Enter a Key name and appropriate rotation period within the Create key pane.
- Click
CREATE.
To enable a new cluster:
- Go to the Kubernetes Engine website.
- Click
CREATE CLUSTER, and choose the required cluster mode. - Within the
Securityheading, underCLUSTER, checkEncrypt secrets at the application layercheckbox. - Select the kms key as the customer-managed key and, if prompted, grant permissions to the GKE Service account.
- Click
CREATE.
To enable an existing cluster:
- Go to the Kubernetes Engine website.
- Select the cluster to be updated.
- Under the Details pane, within the Security heading, click on the pencil named Application-layer secrets encryption.
- Enable
Encrypt secrets at the application layerand choose a kms key. - Click
SAVE CHANGES.
Using Command Line:
To create a key:
Create a key ring:
gcloud kms keyrings create <ring_name> --location <location> --project <key_project_id>
Create a key:
gcloud kms keys create <key_name> --location <location> --keyring <ring_name> --purpose encryption --project <key_project_id>
Grant the Kubernetes Engine Service Agent service account the
Cloud KMS CryptoKey Encrypter/Decrypter role:gcloud kms keys add-iam-policy-binding <key_name> --location <location> --keyring <ring_name> --member serviceAccount:<service_account_name> --role roles/cloudkms.cryptoKeyEncrypterDecrypter --project <key_project_id>
To create a new cluster with Application-layer Secrets Encryption:
gcloud container clusters create <cluster_name> --cluster-version=latest --zone <zone> --database-encryption-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/ <key_name> --project <cluster_project_id>
To enable on an existing cluster:
gcloud container clusters update <cluster_name> --zone <zone> --database- encryption-key projects/<key_project_id>/locations/<location>/keyRings/<ring_name>/cryptoKeys/ <key_name> --project <cluster_project_id>