OpenControls Logo

STIG Viewer

Kubernetes Secrets must be encrypted at rest.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-274882CNTR-K8-001162SV-274882r1107233_ruleCCI-000213high
Description
Kubernetes Secrets may store sensitive information such as passwords, tokens, and keys. These values are stored in the etcd database used by Kubernetes unencrypted. To protect these Secrets at rest, these values must be encrypted.
STIGDate
Kubernetes Security Technical Implementation Guide2025-05-16

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
AC-3
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.1.1
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.1.2
1.00
  • DISA · 2 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000213
1.00
  • DISA · 2 · disa_xccdf · related

Details

Check Text (C-274882r1107233_chk)

Change to the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Run the command: grep -i encryption-provider-config * If the setting "encryption-provider-config" is not configured, this is a finding. If the setting is configured, check the contents of the file specified by its argument. If the file does not specify the Secret's resource, this is a finding. If the identity provider is specified as the first provider for the resource, this is also a finding.

Fix Text (F-78888r1107232_fix)

Edit the Kubernetes API Server manifest file in the /etc/kubernetes/manifests directory on the Kubernetes Master Node. Set the value of "--encryption-provider-config" to the path to the encryption config. The encryption config must specify the Secret's resource and provider. Below is an example: { "kind": "EncryptionConfiguration", "apiVersion": "apiserver.config.k8s.io/v1", "resources": [ { "resources": [ "secrets" ], "providers": [ { "aescbc": { "keys": [ { "name": "aescbckey", "secret": "xxxxxxxxxxxxxxxxxxx" } ] } }, { "identity": {} } ] } ] }