Profile Applicability:

  • Level 1

Description:
 Kubernetes allows you to store sensitive data such as passwords, API keys, and certificates in Secrets objects. By default, Kubernetes stores these secrets unencrypted in etcd. This check ensures that Kubernetes Secrets are encrypted at rest to protect sensitive information from unauthorized access.

Rationale:
 Kubernetes Secrets contain sensitive information, and storing them unencrypted increases the risk of exposure. By enabling encryption at rest for Secrets, the sensitive data is encrypted before being written to etcd, ensuring that it is protected even if unauthorized individuals gain access to etcd. This is a critical step for securing your Kubernetes cluster.

Impact:

  • Pros:

    • Ensures that sensitive information stored in Kubernetes Secrets is encrypted and protected.

    • Helps meet security compliance requirements for encrypting sensitive data.

  • Cons:

    • Requires configuration and management of encryption keys.

    • May introduce slight performance overhead due to encryption and decryption operations.

Default Value:
 By default, Kubernetes does not encrypt Secrets at rest. Encryption must be manually configured in the Kubernetes cluster settings.

Pre-requisites:
 Ensure that your Kubernetes cluster is configured to use an encryption provider and that you have access to configure encryption settings for etcd.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access the Azure Kubernetes Service (AKS) cluster.

  2. Review the Kubernetes Secrets settings to verify that encryption is enabled for Secrets at rest.

  3. Check the AKS encryption settings to ensure that the secrets stored in etcd are encrypted using the appropriate encryption provider.

Using Azure CLI:

  1. Verify if encryption for Kubernetes Secrets is enabled using the following command:

     az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "apiServerAccessProfile.enableSecretsEncryption"

  2. Ensure that the enableSecretsEncryption field is set to true, indicating that Secrets are encrypted at rest.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, navigate to Azure Kubernetes Service (AKS) and select your cluster.

  2. Under Security settings, enable encryption for Kubernetes Secrets.

  3. Ensure that the encryption provider is set to use KMS (Key Management Service) or another encryption provider for encrypting etcd data.

  4. Ensure the etcd encryption configuration is applied and tested by reviewing the cluster security settings.

Using Azure CLI:

  1. To enable encryption for Secrets, run the following Azure CLI command:

     az aks enable-addons --resource-group <resource-group-name> --name <aks-cluster-name> --addons azure-keyvault-secrets-provider

  2. Ensure the encryption settings are applied for your Kubernetes cluster by running:

     az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --enable-secret-encryption

  3. Confirm the encryption status by checking the encryption settings for etcd:

     az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "apiServerAccessProfile.enableSecretsEncryption"


Backout Plan:

Using Azure Console:

  1. If enabling encryption causes issues, revert the changes in the Azure portal by disabling encryption for Kubernetes Secrets.

Using Azure CLI:

  1. Revert the encryption settings by running:

     az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --disable-secret-encryption


References:

  1. Azure Kubernetes Service (AKS) Encryption at Rest Documentation

  2. Kubernetes Secrets Encryption Documentation

  3. Azure Key Vault Integration for AKS