IPSec network encryption must be configured.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260931	CNTR-MK-000770	SV-260931r966150_rule		Medium

Description
IPsec encrypts the data traffic between nodes in a Kubernetes cluster, ensuring that the information exchanged is confidential and protected from unauthorized access. This is particularly important when sensitive or confidential data is transmitted over the network. IPsec not only provides encryption but also ensures the integrity of the transmitted data. Through the use of cryptographic mechanisms, IPsec can detect and prevent tampering or modification of data during transit. In a Kubernetes cluster managed by MKE, nodes communicate with each other for various purposes, such as pod networking, service discovery, and cluster coordination. IPsec helps secure these communications, reducing the risk of man-in-the-middle attacks and unauthorized interception.

Description

IPsec encrypts the data traffic between nodes in a Kubernetes cluster, ensuring that the information exchanged is confidential and protected from unauthorized access. This is particularly important when sensitive or confidential data is transmitted over the network. IPsec not only provides encryption but also ensures the integrity of the transmitted data. Through the use of cryptographic mechanisms, IPsec can detect and prevent tampering or modification of data during transit. In a Kubernetes cluster managed by MKE, nodes communicate with each other for various purposes, such as pod networking, service discovery, and cluster coordination. IPsec helps secure these communications, reducing the risk of man-in-the-middle attacks and unauthorized interception.

STIG	Date
Mirantis Kubernetes Engine Security Technical Implementation Guide	2024-06-17

Details

Check Text ( C-64660r966148_chk )
Verify IPSec network encryption. For Swarm orchestration log in to the MKE web UI and navigate to Swarm >> Networks. If the "scope" is not local and the "driver" is not overlay, this is a finding. Kubernetes orchestration: Note: The path may need to be edited. cat /etc/mke/config.toml \| grep secure_overlay If the "secure_overlay" settings is not set to "true", this is a finding.

Fix Text (F-64568r966149_fix)
To configure IPSec network encryption in Swarm orchestration, create an overlay network with --opt encrypted flag. Example: docker network create --opt encrypted --driver overlay my-network To configure IPSec network encryption in Kubernetes orchestration, modify an existing MKE configuration. Working as an MKE admin, use the config-toml API from within the directory of your client certificate bundle to export the current MKE settings to a TOML file (mke-config.toml). 1. Define the following environment variables: export MKE_USERNAME= export MKE_PASSWORD= export MKE_HOST= 2. Obtain and define an AUTHTOKEN environment variable by executing the following: AUTHTOKEN=$(curl --silent --insecure --data '{"username":"'$MKE_USERNAME'","password":"'$MKE_PASSWORD'"}' https://$MKE_HOST/auth/login \| jq --raw-output .auth_token) 3. Download the current MKE configuration file by executing the following: curl --silent --insecure -X GET "https://$MKE_HOST/api/MKE/config-toml" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" > mke-config.toml 4. Modify "secure_overlay" settings to "true". 5. Upload the newly edited MKE configuration file by executing the following: curl --silent --insecure -X PUT -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'mke-config.toml' https://$MKE_HOST/api/MKE/config-toml Note: Users may need to reacquire AUTHTOKEN, if significant time has passed since it was first attained.

Fix Text (F-64568r966149_fix)

To configure IPSec network encryption in Swarm orchestration, create an overlay network with --opt encrypted flag.

Example:
docker network create --opt encrypted --driver overlay my-network

To configure IPSec network encryption in Kubernetes orchestration, modify an existing MKE configuration.

Working as an MKE admin, use the config-toml API from within the directory of your client certificate bundle to export the current MKE settings to a TOML file (mke-config.toml).

1. Define the following environment variables:

export MKE_USERNAME=
export MKE_PASSWORD=
export MKE_HOST=

2. Obtain and define an AUTHTOKEN environment variable by executing the following:

AUTHTOKEN=$(curl --silent --insecure --data '{"username":"'$MKE_USERNAME'","password":"'$MKE_PASSWORD'"}' https://$MKE_HOST/auth/login | jq --raw-output .auth_token)

3. Download the current MKE configuration file by executing the following:

curl --silent --insecure -X GET "https://$MKE_HOST/api/MKE/config-toml" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" > mke-config.toml

4. Modify "secure_overlay" settings to "true".

5. Upload the newly edited MKE configuration file by executing the following:

curl --silent --insecure -X PUT -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'mke-config.toml' https://$MKE_HOST/api/MKE/config-toml

Note: Users may need to reacquire AUTHTOKEN, if significant time has passed since it was first attained.