Benchmark: 7.1.1 Use a Key Management Service (KMS) provider to encrypt data in Kubernetes secrets
Description
Protect sensitive information in your IBM CloudTM Kubernetes Service cluster to ensure data integrity and to prevent your data from being exposed to unauthorized users.
Understanding Key Management Service (KMS) providers
You can protect the etcd component in your Kubernetes master and Kubernetes secrets by using a Kubernetes key management service (KMS) provider that encrypts secrets with encryption keys that you control.
Supported KMS providers
IBM Cloud Kubernetes Service supports the following KMS providers:
- IBM Key Protect for IBM CloudTM for public cloud or on-prem environments.
- Hyper Protect Crypto Services for keep your own key (KYOK) crypto unit support.
Because adding a different KMS provider requires updating the managed master default configuration, you cannot add other KMS providers to the cluster.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-ibm-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 7.1.1 Use a Key Management Service (KMS) provider to encrypt data in Kubernetes secrets.
Run this benchmark in your terminal:
powerpipe benchmark run ibm_compliance.benchmark.cis_v100_7_1_1
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run ibm_compliance.benchmark.cis_v100_7_1_1 --share
Controls
- 7.1.1.1 Ensure Kubernetes secrets data is encrypted with bring your own key (BYOK)
- 7.1.1.2 Ensure Kubernetes secrets data is encrypted with keep your own key (KYOK)