GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Ensure Kubernetes Secrets Are Encrypted Using KMS Keys
More Info:
Encrypt Kubernetes secrets, stored in etcd, at the application-layer using a customermanaged key in Cloud KMS.
Risk Level
Medium
Address
Security, Reliability, Operational Excellence, Performance Efficiency
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the misconfiguration “Ensure Kubernetes Secrets Are Encrypted Using KMS Keys” in GCP using the GCP console, follow the below steps:
-
Open the Google Kubernetes Engine (GKE) cluster in the GCP console.
-
Navigate to the “Workloads” tab on the left-hand side menu and select the deployment that you want to remediate.
-
Click on the “Edit” button at the top of the screen.
-
Scroll down to the “Environment Variables” section and click on “Add Environment Variable”.
-
Add the following environment variable:
Name: GOOGLE_ENCRYPTION_KEY
Value: [the name of the KMS key you want to use to encrypt the secrets]
-
Click on the “Save” button at the bottom of the screen to save the changes.
-
Repeat steps 4-6 for each deployment that needs to be remediated.
By following these steps, you have ensured that Kubernetes secrets are encrypted using KMS keys in GCP.
To remediate the misconfiguration of Kubernetes Secrets not being encrypted using KMS Keys on GCP, you can follow the below steps:
-
Open the Cloud Shell in the GCP Console.
-
Run the following command to get the list of Kubernetes secrets in the cluster:
kubectl get secrets -
Identify the secrets that are not encrypted using KMS keys.
-
Create a KMS keyring and key:
gcloud kms keyrings create [KEYRING-NAME] --location [LOCATION] gcloud kms keys create [KEY-NAME] --location [LOCATION] --keyring [KEYRING-NAME] --purpose encryptionReplace [KEYRING-NAME], [LOCATION] and [KEY-NAME] with the appropriate values.
-
Encrypt the Kubernetes secrets using the KMS key:
gcloud kms encrypt --key [KEY-NAME] --keyring [KEYRING-NAME] --location [LOCATION] --plaintext-file [SECRET-FILE-PATH] --ciphertext-file [ENCRYPTED-FILE-PATH]Replace [KEYRING-NAME], [LOCATION], [KEY-NAME], [SECRET-FILE-PATH] and [ENCRYPTED-FILE-PATH] with the appropriate values.
-
Update the Kubernetes secrets with the encrypted data:
kubectl create secret generic [SECRET-NAME] --from-file=[SECRET-FILE-PATH]=[ENCRYPTED-FILE-PATH]Replace [SECRET-NAME], [SECRET-FILE-PATH] and [ENCRYPTED-FILE-PATH] with the appropriate values.
-
Verify that the secrets have been encrypted using KMS keys:
kubectl get secrets kubectl describe secret [SECRET-NAME]Replace [SECRET-NAME] with the name of the secret.
-
Delete the unencrypted Kubernetes secrets:
kubectl delete secret [SECRET-NAME]Replace [SECRET-NAME] with the name of the secret.
By following these steps, you can ensure that the Kubernetes secrets are encrypted using KMS keys on GCP.
To remediate the misconfiguration of ensuring Kubernetes secrets are encrypted using KMS keys in GCP using Python, you can follow the below steps:
-
Install the necessary Python libraries:
- google-auth
- google-auth-oauthlib
- google-auth-httplib2
- google-cloud-kms
- kubernetes
-
Authenticate with GCP using a service account key file:
from google.oauth2 import service_account credentials = service_account.Credentials.from_service_account_file('key.json') -
Connect to the KMS service:
from google.cloud import kms_v1 kms_client = kms_v1.KeyManagementServiceClient(credentials=credentials) -
Get the KMS key resource name:
key_name = kms_client.crypto_key_path_path('project-id', 'location', 'key-ring', 'key') -
Retrieve the Kubernetes secret:
from kubernetes import client, config config.load_kube_config() v1 = client.CoreV1Api() secret = v1.read_namespaced_secret('secret-name', 'namespace') -
Encrypt the secret data using the KMS key:
from google.cloud import kms_v1 plaintext = secret.data['key'] response = kms_client.encrypt(key_name, plaintext.encode('utf-8')) -
Update the Kubernetes secret with the encrypted data:
secret.data['key'] = response.ciphertext v1.replace_namespaced_secret('secret-name', 'namespace', secret)
By following these steps, you can ensure that Kubernetes secrets are encrypted using KMS keys in GCP using Python.