Profile Applicability:

  • Level 1

Description:

Ensure that encryption providers are properly configured in the Kubernetes API server to protect sensitive data at rest and during communication. Encryption providers control how sensitive data, such as secrets and keys, is encrypted and decrypted within the Kubernetes cluster. These settings are crucial for ensuring compliance with data protection standards and securing sensitive information stored in Kubernetes resources.

Rationale:

Properly configuring encryption providers ensures that sensitive data stored in the Kubernetes cluster (such as secrets, keys, and other confidential information) is securely encrypted, both at rest and during communication. This is a critical security measure to protect data from unauthorized access and meet compliance requirements, such as GDPR or HIPAA.

Impact:

  • Enhances security by encrypting sensitive data stored in the cluster.

  • Reduces the risk of unauthorized access to sensitive data, even if an attacker gains access to the underlying storage.

  • Helps ensure compliance with data protection regulations.

Default Value:

By default, Kubernetes uses aescbc encryption with a default key for encryption providers. This may not be suitable for all environments, and manual configuration of the encryption providers may be necessary.

Pre-Requisites:

  • Access to the Kubernetes API server configuration.

  • Properly configured encryption keys and algorithms.

  • Sufficient privileges (root or administrator access) to modify the API server flags.

  • A Kubernetes environment with secure data handling and encryption standards.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the Amazon Elastic Kubernetes Service (EKS) console.

  3. Navigate to the "Clusters" section and locate your cluster.

  4. Review the settings for encryption providers in the API server configuration.

  5. Ensure that the encryption providers are set to use strong encryption algorithms and that the encryption keys are securely managed.

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check the --encryption-provider-config argument in the API server arguments section. It should reference a valid configuration file:

- --encryption-provider-config=/etc/kubernetes/encryption-provider.yaml

  1. Ensure that the encryption providers specified in the configuration file are appropriate for the cluster’s security needs (e.g., aescbcidentity).

Implementation Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Open the EKS service and navigate to your cluster.

  3. Review the cluster's configuration for the encryption providers.

  4. If the encryption providers are not configured properly, update the API server configuration to point to the correct encryption provider configuration file:

     --encryption-provider-config=/etc/kubernetes/encryption-provider.yaml

    Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

Modify the API server deployment by adding or updating the --encryption-provider-config argument:

kubectl edit deployment -n kube-system kube-apiserver

  1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.

Add or update the following line to point to the correct encryption provider configuration:

- --encryption-provider-config=/etc/kubernetes/encryption-provider.yaml

  1. Save and exit the editor to apply the changes.

Backout Plan:

Using AWS Console:

  1. Sign in to the AWS Console.

  2. Open the EKS service and navigate to your cluster.

  3. Locate the API server configuration.

  4. If necessary, revert the changes by setting the --encryption-provider-config argument back to the previous value or restoring the default configuration.

  5. Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

To revert the change, edit the API server deployment to set the --encryption-provider-config argument back to its previous value or restore the default settings:

kubectl edit deployment -n kube-system kube-apiserver

  1. Update the deployment YAML to point to the previous encryption provider configuration or remove the argument.

  2. Save and exit the editor to apply the changes.

References: