More Info:

Ensure that boot disk on k8 node pools are encrypted with CMK

Risk Level

High

Address

Security

Compliance Standards

ISO27001

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration, follow these steps:
  1. Open the Google Cloud Platform (GCP) Console and navigate to the Kubernetes Engine page.
  2. Select the cluster that you want to remediate.
  3. Click on the “Nodes” tab and select the node pool that you want to remediate.
  4. Click on the “Edit” button to edit the node pool.
  5. Scroll down to the “Security” section and click on the “Show” button next to “Boot disk encryption”.
  6. Select “Customer-managed encryption keys” from the drop-down menu.
  7. Click on the “Select a key” button and choose the key that you want to use for encryption.
  8. Click on the “Save” button to save the changes.
  9. Repeat steps 4-8 for each node pool in the cluster.
  10. Verify that the boot disk encryption has been configured correctly by checking the “Encryption” column in the nodes list. It should show “Customer-managed” for each node.
By following these steps, you have successfully remediated the misconfiguration by encrypting the Kubernetes boot disk with customer-managed keys in GCP using the GCP console.

To remediate the misconfiguration “Kubernetes Boot Disk Should Be Encrypted With Customer Managed Keys” for GCP using GCP CLI, follow the below steps:
  1. Open the Cloud Shell or any terminal and ensure that you have the gcloud CLI installed and authenticated with your GCP account.
  2. Run the following command to get the name of the boot disk of your Kubernetes cluster: 
    gcloud container clusters describe [CLUSTER_NAME] --zone [ZONE] | grep "bootDiskName"
    Replace [CLUSTER_NAME] with the name of your Kubernetes cluster and [ZONE] with the zone in which your cluster is running.
  3. Run the following command to encrypt the boot disk with a customer-managed key: 
    gcloud compute disks add-iam-policy-binding [DISK_NAME] --zone [ZONE] --member user:[USER_EMAIL] --role roles/compute.encrypterDecrypter
    Replace [DISK_NAME] with the name of the boot disk obtained from step 2, [ZONE] with the zone in which your cluster is running and [USER_EMAIL] with the email address of the user who will manage the key.
  4. Run the following command to update the disk encryption key: 
    gcloud compute disks update [DISK_NAME] --zone [ZONE] --customer-managed-key --customer-key-name [KEY_NAME] --source-key [KEY_RESOURCE_ID]
    Replace [DISK_NAME] with the name of the boot disk obtained from step 2, [ZONE] with the zone in which your cluster is running, [KEY_NAME] with the name of the customer-managed key and [KEY_RESOURCE_ID] with the ID of the key resource.
By following the above steps, you can remediate the misconfiguration “Kubernetes Boot Disk Should Be Encrypted With Customer Managed Keys” for GCP using GCP CLI.
To remediate the misconfiguration “Kubernetes Boot Disk Should Be Encrypted With Customer Managed Keys” in GCP using Python, you can follow the below steps:
  1. First, you need to create a customer-managed encryption key in Cloud KMS using the following command:
from google.cloud import kms_v1
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('path/to/your/credentials.json')
kms_client = kms_v1.KeyManagementServiceClient(credentials=credentials)

parent = kms_client.key_ring_path('project-id', 'location', 'key-ring')
key_id = 'my-key'
purpose = kms_v1.CryptoKey.CryptoKeyPurpose.ENCRYPT_DECRYPT

response = kms_client.create_crypto_key(parent, key_id, {'purpose': purpose})
print(f'Created key: {response.name}')
Note: Replace the path/to/your/credentials.json with the actual path to your GCP service account credentials file, project-id with your GCP project ID, location with the location of your key ring, and my-key with the name of your encryption key.
  1. Next, you need to update your Kubernetes cluster to use the customer-managed encryption key for boot disk encryption. You can use the following command to update the cluster:
from google.cloud import container_v1
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('path/to/your/credentials.json')
container_client = container_v1.ClusterManagerClient(credentials=credentials)

cluster_id = 'my-cluster'
project_id = 'project-id'
zone = 'us-central1-a'
key_id = 'projects/project-id/locations/location/keyRings/key-ring/cryptoKeys/my-key'

cluster = container_client.get_cluster(project_id, zone, cluster_id)
cluster.spec.master_authorized_networks_config.encryption_config = {
    'state': 'ENCRYPTED',
    'key_name': key_id
}

update_request = container_client.update_cluster(project_id, zone, cluster_id, cluster)
print(f'Updated cluster: {update_request.name}')
Note: Replace the path/to/your/credentials.json with the actual path to your GCP service account credentials file, project-id with your GCP project ID, location with the location of your key ring, my-key with the name of your encryption key, and my-cluster with the name of your Kubernetes cluster.
  1. Finally, you can verify that the boot disk encryption is using the customer-managed encryption key by checking the cluster details:
cluster = container_client.get_cluster(project_id, zone, cluster_id)
print(f'Boot disk encryption key: {cluster.spec.master_authorized_networks_config.encryption_config.key_name}')
This will print the name of the encryption key used for boot disk encryption.

Additional Reading: