Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Ensure Kubernetes Secrets Are Encrypted Using KMS Keys” in GCP using the GCP console, follow the below steps:
- Open the Google Kubernetes Engine (GKE) cluster in the GCP console.
- Navigate to the “Workloads” tab on the left-hand side menu and select the deployment that you want to remediate.
- Click on the “Edit” button at the top of the screen.
- Scroll down to the “Environment Variables” section and click on “Add Environment Variable”.
- Add the following environment variable: Name: GOOGLE_ENCRYPTION_KEY Value: [the name of the KMS key you want to use to encrypt the secrets]
- Click on the “Save” button at the bottom of the screen to save the changes.
- Repeat steps 4-6 for each deployment that needs to be remediated.
Using CLI
Using CLI
To remediate the misconfiguration of Kubernetes Secrets not being encrypted using KMS Keys on GCP, you can follow the below steps:
- Open the Cloud Shell in the GCP Console.
-
Run the following command to get the list of Kubernetes secrets in the cluster:
- Identify the secrets that are not encrypted using KMS keys.
-
Create a KMS keyring and key:
Replace [KEYRING-NAME], [LOCATION] and [KEY-NAME] with the appropriate values.
-
Encrypt the Kubernetes secrets using the KMS key:
Replace [KEYRING-NAME], [LOCATION], [KEY-NAME], [SECRET-FILE-PATH] and [ENCRYPTED-FILE-PATH] with the appropriate values.
-
Update the Kubernetes secrets with the encrypted data:
Replace [SECRET-NAME], [SECRET-FILE-PATH] and [ENCRYPTED-FILE-PATH] with the appropriate values.
-
Verify that the secrets have been encrypted using KMS keys:
Replace [SECRET-NAME] with the name of the secret.
-
Delete the unencrypted Kubernetes secrets:
Replace [SECRET-NAME] with the name of the secret.
Using Python
Using Python
To remediate the misconfiguration of ensuring Kubernetes secrets are encrypted using KMS keys in GCP using Python, you can follow the below steps:
-
Install the necessary Python libraries:
- google-auth
- google-auth-oauthlib
- google-auth-httplib2
- google-cloud-kms
- kubernetes
-
Authenticate with GCP using a service account key file:
-
Connect to the KMS service:
-
Get the KMS key resource name:
-
Retrieve the Kubernetes secret:
-
Encrypt the secret data using the KMS key:
-
Update the Kubernetes secret with the encrypted data: