Swarm Secrets or Kubernetes Secrets must be used.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260911	CNTR-MK-000130	SV-260911r986162_rule		Medium

Description
Swarm Secrets in Docker Swarm and Kubernetes Secrets both provide mechanisms for encrypting sensitive data at rest. This adds an additional layer of security, ensuring that even if unauthorized access occurs, the stored secrets remain encrypted. MKE keystore must implement encryption to prevent unauthorized disclosure of information at rest within MKE. By leveraging Docker Secrets or Kubernetes secrets to store configuration files and small amounts of user-generated data (up to 500 kb in size), the data is encrypted at rest by the Engine's FIPS-validated cryptography.

Description

Swarm Secrets in Docker Swarm and Kubernetes Secrets both provide mechanisms for encrypting sensitive data at rest. This adds an additional layer of security, ensuring that even if unauthorized access occurs, the stored secrets remain encrypted. MKE keystore must implement encryption to prevent unauthorized disclosure of information at rest within MKE. By leveraging Docker Secrets or Kubernetes secrets to store configuration files and small amounts of user-generated data (up to 500 kb in size), the data is encrypted at rest by the Engine's FIPS-validated cryptography.

STIG	Date
Mirantis Kubernetes Engine Security Technical Implementation Guide	2024-06-17

Details

Check Text ( C-64640r966088_chk )
Review the System Security Plan (SSP) and identify applications that leverage configuration files and/or small amounts of user-generated data, and ensure the data is stored in Docker Secrets or Kubernetes Secrets. When using Swarm orchestration, log in to the MKE web UI and navigate to Swarm >> Secrets and view the configured secrets. If items identified for secure storage are not included in the secrets, this is a finding. When using Kubernetes orchestration, log on to the MKE Controller node then run the following command: kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A Or, using API, configure the $AUTH variable to contain the token for the SCIM API endpoint: curl -k 'Accept: application/json' -H "Authorization: Bearer $AUTH" -s "https://$MKE_ADDRESS/api/MKE/config/kubernetes" \| jq '.KMSEnabled' true If any of the values returned reference environment variables, this is a finding.

Check Text ( C-64640r966088_chk )

Review the System Security Plan (SSP) and identify applications that leverage configuration files and/or small amounts of user-generated data, and ensure the data is stored in Docker Secrets or Kubernetes Secrets.

When using Swarm orchestration, log in to the MKE web UI and navigate to Swarm >> Secrets and view the configured secrets.

If items identified for secure storage are not included in the secrets, this is a finding.

When using Kubernetes orchestration, log on to the MKE Controller node then run the following command:

kubectl get all -o jsonpath='{range .items[?(@..secretKeyRef)]} {.kind} {.metadata.name} {"\n"}{end}' -A

Or, using API, configure the $AUTH variable to contain the token for the SCIM API endpoint:

curl -k 'Accept: application/json' -H "Authorization: Bearer $AUTH" -s "https://$MKE_ADDRESS/api/MKE/config/kubernetes" | jq '.KMSEnabled' true

If any of the values returned reference environment variables, this is a finding.

Fix Text (F-64548r966089_fix)
To create secrets when using Swarm Orchestration, log in to the MKE UI. Navigate to Swarm >> Secrets, and then click "Create". Provide a name for the secret and enter the data into the "Content" field. Add a label to allow for RBAC features to be used for access to secret. Click "Save". To create secrets when using Kubernetes orchestration, run the following command on the MKE Controller node: Configure the $AUTH variable to contain the token for the SCIM API endpoint. curl -X PUT -H 'Accept: application/json' -H "Authorization: Bearer $AUTH" -d '{"KMSEnabled":true,"KMSName"":"","KMSEndpoint":"/var/kms"}' "https://$MKE_ADDRESS/api/MKE/config/kubernetes"

Fix Text (F-64548r966089_fix)

To create secrets when using Swarm Orchestration, log in to the MKE UI. Navigate to Swarm >> Secrets, and then click "Create".

Provide a name for the secret and enter the data into the "Content" field.

Add a label to allow for RBAC features to be used for access to secret.

Click "Save".

To create secrets when using Kubernetes orchestration, run the following command on the MKE Controller node:

Configure the $AUTH variable to contain the token for the SCIM API endpoint.

curl -X PUT -H 'Accept: application/json' -H "Authorization: Bearer $AUTH" -d '{"KMSEnabled":true,"KMSName"":"","KMSEndpoint":"/var/kms"}' "https://$MKE_ADDRESS/api/MKE/config/kubernetes"