C-0066 - Secret/etcd encryption enabled

Prerequisites

Integrate with cloud provider (see here)

Framework

ClusterScan, security, MITRE, cis-eks-t1.2.0, ArmoBest, NSA, AllControls

Severity

Medium

Description of the the issue

etcd is a consistent and highly-available key value store used as Kubernetes' backing store for all cluster data. All object data in Kubernetes, like secrets, are stored there. This is the reason why it is important to protect the contents of etcd and use its data encryption feature.

Related resources

Pod

What does this control test

Reading the cluster description from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if etcd encryption is enabled

Remediation

Turn on the etcd encryption in your cluster, for more see the vendor documentation.

Example

No example