Kubernetes Boot Disk Should Be Encrypted With Customer Managed Keys
More Info:
Ensure that boot disk on k8 node pools are encrypted with CMKRisk Level
HighAddress
SecurityCompliance Standards
ISO27001Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration, follow these steps:
- Open the Google Cloud Platform (GCP) Console and navigate to the Kubernetes Engine page.
- Select the cluster that you want to remediate.
- Click on the “Nodes” tab and select the node pool that you want to remediate.
- Click on the “Edit” button to edit the node pool.
- Scroll down to the “Security” section and click on the “Show” button next to “Boot disk encryption”.
- Select “Customer-managed encryption keys” from the drop-down menu.
- Click on the “Select a key” button and choose the key that you want to use for encryption.
- Click on the “Save” button to save the changes.
- Repeat steps 4-8 for each node pool in the cluster.
- Verify that the boot disk encryption has been configured correctly by checking the “Encryption” column in the nodes list. It should show “Customer-managed” for each node.
Using CLI
Using CLI
To remediate the misconfiguration “Kubernetes Boot Disk Should Be Encrypted With Customer Managed Keys” for GCP using GCP CLI, follow the below steps:
- Open the Cloud Shell or any terminal and ensure that you have the gcloud CLI installed and authenticated with your GCP account.
-
Run the following command to get the name of the boot disk of your Kubernetes cluster:
Replace
[CLUSTER_NAME]with the name of your Kubernetes cluster and[ZONE]with the zone in which your cluster is running. -
Run the following command to encrypt the boot disk with a customer-managed key:
Replace
[DISK_NAME]with the name of the boot disk obtained from step 2,[ZONE]with the zone in which your cluster is running and[USER_EMAIL]with the email address of the user who will manage the key. -
Run the following command to update the disk encryption key:
Replace
[DISK_NAME]with the name of the boot disk obtained from step 2,[ZONE]with the zone in which your cluster is running,[KEY_NAME]with the name of the customer-managed key and[KEY_RESOURCE_ID]with the ID of the key resource.
Using Python
Using Python
To remediate the misconfiguration “Kubernetes Boot Disk Should Be Encrypted With Customer Managed Keys” in GCP using Python, you can follow the below steps:Note: Replace the Note: Replace the This will print the name of the encryption key used for boot disk encryption.
- First, you need to create a customer-managed encryption key in Cloud KMS using the following command:
path/to/your/credentials.json with the actual path to your GCP service account credentials file, project-id with your GCP project ID, location with the location of your key ring, and my-key with the name of your encryption key.- Next, you need to update your Kubernetes cluster to use the customer-managed encryption key for boot disk encryption. You can use the following command to update the cluster:
path/to/your/credentials.json with the actual path to your GCP service account credentials file, project-id with your GCP project ID, location with the location of your key ring, my-key with the name of your encryption key, and my-cluster with the name of your Kubernetes cluster.- Finally, you can verify that the boot disk encryption is using the customer-managed encryption key by checking the cluster details: