CIS-1.2.30 - Ensure that encryption providers are appropriately configured

Ensure that encryption providers are appropriately configured

Note: to enable this control run Kubescape with host sensor (see here)

Framework

CIS

Severity

High

Description of the the issue

Where etcd encryption is used, it is important to ensure that the appropriate set of encryption providers is used. Currently, the aescbc, kms and secretbox are likely to be appropriate options.

Related resources

What does this control test

Where etcd encryption is used, appropriate providers should be configured.

How to check it manually

Run the following command on the Control Plane node:

ps -ef | grep kube-apiserver

Get the EncryptionConfig file set for --encryption-provider-config argument. Verify that aescbc, kms or secretbox is set as the encryption provider for all the desired resources.

Remediation

Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file, choose aescbc, kms or secretbox as the encryption provider.

Impact Statement

None

Default Value

By default, no encryption provider is set.

Example

No example