1. Open the Google Kubernetes Engine (GKE) cluster in the GCP console.
2. Navigate to the “Workloads” tab on the left-hand side menu and select the deployment that you want to remediate.
3. Click on the “Edit” button at the top of the screen.
4. Scroll down to the “Environment Variables” section and click on “Add Environment Variable”.
5. Add the following environment variable: Name: GOOGLE_ENCRYPTION_KEY Value: [the name of the KMS key you want to use to encrypt the secrets]
6. Click on the “Save” button at the bottom of the screen to save the changes.
7. Repeat steps 4-6 for each deployment that needs to be remediated.

​

1. Open the Cloud Shell in the GCP Console.
2. Run the following command to get the list of Kubernetes secrets in the cluster:
   Copy

   Ask AI

   kubectl get secrets
   

3. Identify the secrets that are not encrypted using KMS keys.
4. Create a KMS keyring and key:
   Copy

   Ask AI

   gcloud kms keyrings create [KEYRING-NAME] --location [LOCATION]
   
   gcloud kms keys create [KEY-NAME] --location [LOCATION] --keyring [KEYRING-NAME] --purpose encryption
   

   Replace [KEYRING-NAME], [LOCATION] and [KEY-NAME] with the appropriate values.
5. Encrypt the Kubernetes secrets using the KMS key:
   Copy

   Ask AI

   gcloud kms encrypt --key [KEY-NAME] --keyring [KEYRING-NAME] --location [LOCATION] --plaintext-file [SECRET-FILE-PATH] --ciphertext-file [ENCRYPTED-FILE-PATH]
   

   Replace [KEYRING-NAME], [LOCATION], [KEY-NAME], [SECRET-FILE-PATH] and [ENCRYPTED-FILE-PATH] with the appropriate values.
6. Update the Kubernetes secrets with the encrypted data:
   Copy

   Ask AI

   kubectl create secret generic [SECRET-NAME] --from-file=[SECRET-FILE-PATH]=[ENCRYPTED-FILE-PATH]
   

   Replace [SECRET-NAME], [SECRET-FILE-PATH] and [ENCRYPTED-FILE-PATH] with the appropriate values.
7. Verify that the secrets have been encrypted using KMS keys:
   Copy

   Ask AI

   kubectl get secrets
   kubectl describe secret [SECRET-NAME]
   

   Replace [SECRET-NAME] with the name of the secret.
8. Delete the unencrypted Kubernetes secrets:
   Copy

   Ask AI

   kubectl delete secret [SECRET-NAME]
   

   Replace [SECRET-NAME] with the name of the secret.

1. Install the necessary Python libraries:
   • google-auth
   • google-auth-oauthlib
   • google-auth-httplib2
   • google-cloud-kms
   • kubernetes
2. Authenticate with GCP using a service account key file:
   Copy

   Ask AI

   from google.oauth2 import service_account
   credentials = service_account.Credentials.from_service_account_file('key.json')
   

3. Connect to the KMS service:
   Copy

   Ask AI

   from google.cloud import kms_v1
   kms_client = kms_v1.KeyManagementServiceClient(credentials=credentials)
   

4. Get the KMS key resource name:
   Copy

   Ask AI

   key_name = kms_client.crypto_key_path_path('project-id', 'location', 'key-ring', 'key')
   

5. Retrieve the Kubernetes secret:
   Copy

   Ask AI

   from kubernetes import client, config
   config.load_kube_config()
   v1 = client.CoreV1Api()
   secret = v1.read_namespaced_secret('secret-name', 'namespace')
   

6. Encrypt the secret data using the KMS key:
   Copy

   Ask AI

   from google.cloud import kms_v1
   plaintext = secret.data['key']
   response = kms_client.encrypt(key_name, plaintext.encode('utf-8'))
   

7. Update the Kubernetes secret with the encrypted data:
   Copy

   Ask AI

   secret.data['key'] = response.ciphertext
   v1.replace_namespaced_secret('secret-name', 'namespace', secret)