IPSec network encryption must be configured.

An XCCDF Rule

Description

<VulnDiscussion>IPsec encrypts the data traffic between nodes in a Kubernetes cluster, ensuring that the information exchanged is confidential and protected from unauthorized access. This is particularly important when sensitive or confidential data is transmitted over the network. IPsec not only provides encryption but also ensures the integrity of the transmitted data. Through the use of cryptographic mechanisms, IPsec can detect and prevent tampering or modification of data during transit. In a Kubernetes cluster managed by MKE, nodes communicate with each other for various purposes, such as pod networking, service discovery, and cluster coordination. IPsec helps secure these communications, reducing the risk of man-in-the-middle attacks and unauthorized interception.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260931r966150_rule
Severity: Medium
References: CCI-000778
Updated: 23 days ago

To configure IPSec network encryption in Swarm orchestration, create an overlay network with --opt encrypted flag. 

Example:
docker network create --opt encrypted --driver overlay my-network

To configure IPSec network encryption in Kubernetes orchestration, modify an existing MKE configuration.
Working as an MKE admin, use the config-toml API from within the directory of your client certificate bundle to export the current MKE settings to a TOML file (mke-config.toml).

1. Define the following environment variables:

export MKE_USERNAME=<mke-username>
export MKE_PASSWORD=<mke-password>
export MKE_HOST=<mke-fqdm-or-ip-address>

2. Obtain and define an AUTHTOKEN environment variable by executing the following:

AUTHTOKEN=$(curl --silent --insecure --data '{"username":"'$MKE_USERNAME'","password":"'$MKE_PASSWORD'"}' https://$MKE_HOST/auth/login | jq --raw-output .auth_token)

3. Download the current MKE configuration file by executing the following:

curl --silent --insecure -X GET "https://$MKE_HOST/api/MKE/config-toml" -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" > mke-config.toml

4. Modify "secure_overlay" settings to "true".

5. Upload the newly edited MKE configuration file by executing the following:

curl --silent --insecure -X PUT -H "accept: application/toml" -H "Authorization: Bearer $AUTHTOKEN" --upload-file 'mke-config.toml' https://$MKE_HOST/api/MKE/config-toml

Note: Users may need to reacquire AUTHTOKEN, if significant time has passed since it was first attained.

IPSec network encryption must be configured.

Description

Remediation - Manual Procedure