C-0066 - Secret/ETCD encryption enabled

Secret/ETCD encryption enabled

Framework

NSA, MITRE, ArmoBest

Description of the the issue

etcd is a consistent and highly-available key value store used as Kubernetes' backing store for all cluster data. All object data in Kubernetes, like secrets, are stored there. This is the reason why it is important to protect the contents of etcd and use its data encryption feature.

Related resources

Pod

What does this control test

Reading the cluster descritpion from the managed cloud API (EKS, GKE), or the API server pod configuration for native K8s and checking if etcd encryption is enabled

Remediation

Turn on the etcd encryption in your cluster, for more see the vendor documentation.

Example

No example


Did this page help you?