Control: 7.1.1.2 Ensure Kubernetes secrets data is encrypted with keep your own key (KYOK)

Description

IBM Cloud® Hyper Protect Crypto Services (Hyper Protect Crypto Services for short) is a dedicated key management service and hardware security module (HSM) based on IBM Cloud. This service allows you to take the ownership of the cloud HSM to fully manage your encryption keys and to perform cryptographic operations. Use Hyper Protect Crypt Services, a dedicated key management service (KMS) and hardware security module (HSM), to encrypt data in Kubernetes secrets and prevent unauthorized users from accessing sensitive app information, for example, credentials and keys.

Remediation

From Console

1. Log in to your IBM Cloud account.
2. To view the list of services that are available on IBM Cloud, click Catalog.
3. Search for Hyper Protect Crypto Services.
4. Select a service plan, and click Create to provision an instance of Hyper Protect Crypto Services in the account, region, and resource group where you are logged in.
5. To view a list of your resources, go to Menu > Resource List.
6. From your IBM Cloud resource list, select your provisioned instance of Hyper Protect Crypto Services.
7. To create a new key, click Add key and select the Create a key window. Specify the key's name and key type.
8. When you are finished filling out the key's details, click Create key to confirm.
9. From the Clusters console, select the cluster that you want to enable encryption for.
10. From the Overview tab, in the Summary > Key management service section, click Enable.
11. Select the Key management service instance and Root key that you want to use for the encryption.
12. Click Enable.
13. Verify that the KMS enablement process is finished. From the Summary > Master status section, you can check the progress.
14. After the KMS provider is enabled in the cluster, data in etcd and new secrets that are created in the cluster are automatically encrypted by using your root key.
15. To encrypt existing secrets with the root key, rewrite the secrets. This cannot be done from the console. See the From Command Line section.

From Command Line:

1. Log in to IBM Cloud through the IBM Cloud CLI.

ibmcloud login [--sso]

2. Select the region and resource group where you want to create a Hyper Protect Crypto Services instance.

ibmcloud target -r <region_name> -g <resource_group_name>

3. Provision a public or private Hyper Protect Crypto Services instance.

ibmcloud resource service-instance-create <instance_name> kms tiered-pricing
<region> [-p '{"allowed_network": "private-only"}']

4. Create a customer root key (CRK) in your KMS instance. You can't use the CLI for this action, you must use the GUI or API. See the above From Console section.

5. Get the ID of the KMS instance that you previously created.

ibmcloud ks kms instance ls

6. Get the ID of the root key that you previously created.

ibmcloud ks kms crk ls --instance-id <KMS_instance_ID>

7. Enable the KMS provider to encrypt secrets in your cluster. Fill in the options with the information that you previously retrieved. The KMS provider's private service endpoint is used by default to download the encryption keys. To use the public service endpoint instead, include the --public-endpoint option. The enablement process can take some time to complete.

ibmcloud ks kms enable -c <cluster_name_or_ID> --instance-id
<kms_instance_ID> --crk <root_key_ID> [--public-endpoint]

8. Verify that the KMS enablement process is finished. The process is finished when the Master Status is Ready.

9. After the KMS provider is enabled in the cluster, data in etcd and new secrets that are created in the cluster are automatically encrypted by using your root key.

10. Set the context for your cluster.

ibmcloud ks cluster config -c <cluster_name_or_ID>

12. With cluster-admin access, rewrite the secrets to encrypt them.

kubectl get secrets --all-namespaces -o json | kubectl replace -f -