Control: 7.1.1.1 Ensure Kubernetes secrets data is encrypted with bring your own key (BYOK)

Description

IBM® Key Protect for IBM CloudTM helps you provision encrypted keys for apps across IBM Cloud services. Use the IBM Key Protect for IBM Cloud key management service (KMS) to encrypt data in Kubernetes secrets and prevent unauthorized users from accessing sensitive app information (for example, credentials and keys). Keys are generated by FIPS 140-2 Level 3 certified hardware security modules (HSMs) that are located in secure IBM Cloud data centers.

Remediation

From Console

1. Log in to your IBM Cloud account.
2. To view the list of services that are available on IBM Cloud, click Catalog.
3. From the All Categories navigation pane, click the Security and Identity category.
4. From the list of services, click the Key Protect tile.
5. Select a service plan, and click Create to provision an instance of Key Protect in the account, region, and resource group where you are logged in.
6. To view a list of your resources, go to Menu > Resource List.
7. From your IBM Cloud resource list, select your provisioned instance of Key Protect.
8. To create a new key, click Add key and select the Create a key window. Specify the key's name and key type.
9. When you are finished filling out the key's details, click Create key to confirm.
10. From the Clusters console, select the cluster that you want to enable encryption for.
11. From the Overview tab, in the Summary > Key management service section, click Enable.
12. Select the Key management service instance and Root key that you want to use for the encryption.
13. Click Enable.
14. Verify that the KMS enablement process is finished. From the Summary > Master status section, you can check the progress.
15. After the KMS provider is enabled in the cluster, data in etcd and new secrets that are created in the cluster are automatically encrypted by using your root key.
16. To encrypt existing secrets with the root key, rewrite the secrets. This cannot be done from the console. See the From Command Line section.

From Command Line:

1. Log in to IBM Cloud through the IBM Cloud CLI.

ibmcloud login [--sso]

2. Select the region and resource group where you want to create a Key Protect instance.

ibmcloud target -r <region_name> -g <resource_group_name>

3. Provision a public or private Key Protect instance.

ibmcloud resource service-instance-create <instance_name> kms tiered-pricing
<region> [-p '{"allowed_network": "private-only"}']

4. Create a customer root key (CRK) in your KMS instance. You can't use the CLI for this action; you must use the GUI or API. See the above From Console section.

5. Get the ID of the KMS instance that you previously created.

ibmcloud ks kms instance ls

6. Get the ID of the root key that you previously created.

ibmcloud ks kms crk ls --instance-id <KMS_instance_ID>

7. Enable the KMS provider to encrypt secrets in your cluster. Fill in the options with the information that you previously retrieved. The KMS provider's private service endpoint is used by default to download the encryption keys. To use the public service endpoint instead, include the --public-endpoint option. The enablement process can take some time to complete.

ibmcloud ks kms enable -c <cluster_name_or_ID> --instance-id
<kms_instance_ID> --crk <root_key_ID> [--public-endpoint]

8. Verify that the KMS enablement process is finished. The process is finished when the Master Status is Ready.

9. After the KMS provider is enabled in the cluster, data in etcd and new secrets that are created in the cluster are automatically encrypted by using your root key.

10. Set the context for your cluster.

ibmcloud ks cluster config -c <cluster_name_or_ID>

11. With cluster-admin access, rewrite the secrets to encrypt them.

kubectl get secrets --all-namespaces -o json | kubectl replace -f -