Swarm Secrets or Kubernetes Secrets must be used.

An XCCDF Rule

Description

<VulnDiscussion>Swarm Secrets in Docker Swarm and Kubernetes Secrets both provide mechanisms for encrypting sensitive data at rest. This adds an additional layer of security, ensuring that even if unauthorized access occurs, the stored secrets remain encrypted. MKE keystore must implement encryption to prevent unauthorized disclosure of information at rest within MKE. By leveraging Docker Secrets or Kubernetes secrets to store configuration files and small amounts of user-generated data (up to 500 kb in size), the data is encrypted at rest by the Engine's FIPS-validated cryptography.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260911r1015770_rule
Severity: Medium
References: CCI-000196 CCI-000213 CCI-001499 CCI-002450 CCI-002476 CCI-004062
Updated: 19 days ago

To create secrets when using Swarm Orchestration, log in to the MKE UI. Navigate to Swarm >> Secrets, and then click "Create".

Provide a name for the secret and enter the data into the "Content" field.

Add a label to allow for RBAC features to be used for access to secret.
Click "Save".

To create secrets when using Kubernetes orchestration, run the following command on the MKE Controller node:

Configure the $AUTH variable to contain the token for the SCIM API endpoint.

curl -X PUT -H 'Accept: application/json' -H "Authorization: Bearer $AUTH" -d '{"KMSEnabled":true,"KMSName"":"<kms_name>","KMSEndpoint":"/var/kms"}' "https://$MKE_ADDRESS/api/MKE/config/kubernetes"

Swarm Secrets or Kubernetes Secrets must be used.

Description

Remediation - Manual Procedure