Use Cloud KMS Customer-Managed Keys (CMKs) to enable application-layer secrets encryption for your Google Kubernetes Engine (GKE) clusters in order to meet security and compliance requirements. Application-layer secrets encryption protects your Kubernetes secrets in etcd with an encryption key managed using Cloud KMS service.
Application-layer secrets encryption provides an additional layer of security for sensitive data, such as Kubernetes secrets, stored in etcd. With this feature, you can use an encryption key managed with Cloud KMS to encrypt data at the application layer and protect against attackers that gain access to an offline copy of etcd. Enabling application-layer secrets encryption for your GKE clusters is considered a security best practice for applications that store sensitive and confidential data.
To determine if your Google Kubernetes Engine (GKE) clusters are configured with application-layer secrets encryption, perform the following actions:
Remediation / Resolution
To enable application-layer secrets encryption for your Google Kubernetes Engine (GKE) clusters using Cloud KMS Customer-Managed Keys, perform the following actions:
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
Get started for FREE
You are auditing:
Enable Application-Layer Secrets Encryption for GKE Clusters
Risk level: High