Enable Application-Layer Secrets Encryption for GKE Clusters

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)

Use Cloud KMS Customer-Managed Keys (CMKs) to enable application-layer secrets encryption for your Google Kubernetes Engine (GKE) clusters in order to meet security and compliance requirements. Application-layer secrets encryption protects your Kubernetes secrets in etcd with an encryption key managed using Cloud KMS service.

Security

Application-layer secrets encryption provides an additional layer of security for sensitive data, such as Kubernetes secrets, stored in etcd. With this feature, you can use an encryption key managed with Cloud KMS to encrypt data at the application layer and protect against attackers that gain access to an offline copy of etcd. Enabling application-layer secrets encryption for your GKE clusters is considered a security best practice for applications that store sensitive and confidential data.


Audit

To determine if your Google Kubernetes Engine (GKE) clusters are configured with application-layer secrets encryption, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Google Kubernetes Engine (GKE) console at https://console.cloud.google.com/kubernetes.

04 In the navigation panel, select Clusters to access the list of the GKE clusters deployed within the selected project.

05 Click on the name of the GKE cluster that you want to examine.

06 Select the Details tab to access the cluster configuration information, and check the Application-layer Secrets Encryption configuration attribute value. If the Application-layer Secrets Encryption value is set to Disabled, the application-layer secrets encryption is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat step no. 5 and 6 for each GKE cluster created for the selected Google Cloud project.

08 Repeat steps no. 2 – 7 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account:

gcloud projects list
    --format="table(projectId)"

02 The command output should return the requested GCP project identifiers:

PROJECT_ID
cc-bigdata-project-123123
cc-web-app-project-112233

03 Run container clusters list command (Windows/macOS/Linux) using custom query filters to describe the name and the region for each GKE cluster provisioned for the selected Google Cloud project:

gcloud container clusters list
    --project cc-bigdata-project-123123
    --format="(NAME,LOCATION)"

04 The command output should return the requested GKE cluster names and their regions:

NAME                     LOCATION
cc-gke-backend-cluster   us-central1
cc-gke-frontend-cluster  us-central1

05 Run container clusters describe command (Windows/macOS/Linux) using the name of the Google Cloud GKE cluster that you want to examine as identifier parameter and custom query filters to describe the resource ID of the Customer-Managed Key (CMK) used for application-layer secrets encryption:

gcloud container clusters describe cc-gke-backend-cluster
    --region=us-central1
    --format="yaml(databaseEncryption.keyName)"

06 The command output should return the requested CMK identifier (ID):

null

If the container clusters describe command output returns null, there is no Customer-Managed Key in use for Kubernetes secrets encryption, therefore the application-layer secrets encryption is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat step no. 5 and 6 for each GKE cluster available within the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable application-layer secrets encryption for your Google Kubernetes Engine (GKE) clusters using Cloud KMS Customer-Managed Keys, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 To create and configure your new Customer-Managed Key (CMK), perform the following:

  1. Navigate to Cloud Key Management Service (Cloud KMS) dashboard at https://console.cloud.google.com/security/kms.
  2. Before you can set up and manage any Customer-Managed Keys (CMKs), you must create a key ring. A KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific location. In the navigation panel, select Cryptographic Keys, and click on the CREATE KEY RING button to set up the required key ring and the new Customer-Managed Key (CMK).
  3. A key ring requires a name and location. On the Create key ring page, provide a unique name in the Key ring name box, then choose the appropriate location from the Key ring location dropdown list. The location can be either global or associated with a particular region. If the CMKs created later within the key ring will be used to encrypt/decrypt resources in a given region, select that region as the key ring location. Click CREATE to deploy the new key ring.
  4. On the Create key page, select Generated key as the type of the CMK that you want to create. Provide a name for your new key in the Key name box, choose the protection level (software or Hardware Security Module) that you want to use, select Symmetric encrypt/decrypt from the Purpose dropdown list to define the types of operations that your cryptographic key can perform, and configure the key rotation parameters. Click CREATE to deploy your new Cloud KMS Customer-Managed Key (CMK).

04 Navigate to Google Kubernetes Engine (GKE) console at https://console.cloud.google.com/kubernetes.

05 In the navigation panel, select Clusters to access the list of the GKE clusters created for the selected project.

06 Click on the name of the GKE cluster that you want to reconfigure, then click on the EDIT button from the console top menu to enter the cluster edit mode.

07 On the selected cluster configuration page, perform the following:

  1. Select Enabled from the Application-layer Secrets Encryption dropdown list to enable application-layer secrets encryption for the selected GKE cluster.
  2. Select the CMK created at step no. 3 from the Select a customer-managed key dropdown list. If the newly created CMK does not appear in the dropdown list, select Don't see your key? Enter key resource ID and provide the full resource ID of your Customer-Managed Key (CMK).
  3. Inside "The service-<project-number>@container-engine-robot.iam.gserviceaccount.com service account does not have permissions to encrypt/decrypt with the selected key." configuration box, click Grant to grant the specified service account the required IAM role on the selected CMK.
  4. Click Save to apply the configuration changes.

08 Repeat step no. 6 and 7 to enable application-layer secrets encryption for other GKE clusters available within the selected project.

09 Repeat steps no. 2 – 8 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Before you can set up and manage your Customer-Managed Key (CMK), you must create a key ring to store the CMK. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location. If the CMK created later within this key ring will be used to encrypt/decrypt resources in a given region, select that region as the key ring location:

gcloud kms keyrings create cc-cloud-gke-key-ring
    --location=us
    --project=cc-bigdata-project-123123
    --format="table(name)"

02 The command output should return the identifier (name) of the newly created key ring:

NAME
projects/cc-bigdata-project-123123/locations/us/keyRings/cc-cloud-gke-key-ring

03 Run kms keys create command (Windows/macOS/Linux) to create a new Cloud KMS Customer-Managed Key (CMK) within the KMS key ring created at the previous steps:

gcloud kms keys create cc-cloud-gke-cmk
    --location=us-central1
    --keyring=cc-cloud-gke-key-ring
    --purpose=encryption
    --protection-level=software
    --rotation-period=90d
    --next-rotation-time=2020-9-25T15:00:00.0000Z
    --format="table(name)"

04 The command output should return the name of the new Customer-Managed Key (CMK):

NAME
projects/cc-bigdata-project-123123/locations/us-central1/keyRings/cc-cloud-gke-key-ring/cryptoKeys/cc-cloud-gke-cmk

05 Run projects add-iam-policy-binding command (Windows/macOS/Linux) to assign the Cloud KMS "CryptoKey Encrypter/Decrypter" role to the appropriate service account. Replace <kms-project-id> with the ID of the Google Cloud project where the Customer-Managed Key has been created, and replace <project-number> with the project number of the Google Cloud project that is running your GKE cluster:

gcloud projects add-iam-policy-binding <kms-project-id>
    --member serviceAccount:service-<project-number>@container-engine-robot.iam.gserviceaccount.com
    --role roles/cloudkms.cryptoKeyEncrypterDecrypter

06 The command output should return the updated IAM policy (YAML format):

Updated IAM policy for project <kms-project-id>.
bindings:
- members:
  - serviceAccount:service-<project-number>@container-engine-robot.iam.gserviceaccount.com
  role: roles/cloudkms.cryptoKeyEncrypterDecrypter
- members:
  - user:admin@cloudconformity.com
  role: roles/owner
etag: abcdabcdabcd
version: 1

07 Run container clusters update command (Windows/macOS/Linux) using the name of the Google Cloud GKE cluster that you want to reconfigure as identifier parameter, to enable application-layer secrets encryption for the selected cluster, using the Cloud KMS Customer-Managed Key (CMK) created at the previous steps:

gcloud container clusters update cc-gke-backend-cluster
    --region=us-central1
    --project cc-bigdata-project-123123
    --database-encryption-key projects/cc-bigdata-project-123123/locations/us-central1/keyRings/cc-cloud-gke-key-ring/cryptoKeys/cc-cloud-gke-cmk

08 The command output should return the URL of the reconfigured GKE cluster:

Updating cc-gke-backend-cluster...done.
Updated [https://container.googleapis.com/v1/projects/cc-bigdata-project-123123/regions/us-central1/clusters/cc-gke-backend-cluster].

09 Repeat step no. 7 and 8 to enable application-layer secrets encryption for other GKE clusters provisioned for the selected GCP project.

10 Repeat steps no. 1 – 9 for each GCP project deployed in your Google Cloud account.

References

Publication date May 10, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Application-Layer Secrets Encryption for GKE Clusters

Risk level: High