← Back to Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

V-257564

CAT II (Medium)

OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

Rule ID

SV-257564r1050650_rule

STIG

Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

Version

V2R5

CCIs

CCI-002476

Discussion

By default, etcd data is not encrypted in OpenShift Container Platform. Enable etcd encryption for the cluster to provide an additional layer of data security. For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties. When users enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted: Secrets Config maps Routes OAuth access tokens OAuth authorize tokens When users enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. Users must have these keys to restore from an etcd backup.

Check Content

Review the API server encryption by running by executing the following:

oc edit apiserver

EXAMPLE OUTPUT
spec:
  encryption:
    type: aescbc 

If the encryption type is not "aescbc", this is a finding.

Fix Text

Set API encryption type by executing the following:

oc edit apiserver

Set the encryption field type to aescbc:
spec:
  encryption:
    type: aescbc 

Additional details about the configuration can be found in the documentation:
https://docs.openshift.com/container-platform/4.8/security/encrypting-etcd.html