Ensure that the MachineSets provisioned by GCP have disk encryption enabled

An XCCDF Rule

Description

OpenShift has an option to provide the Disk Encryption Set [1] when deploying nodes on GCP. This enabled disk encryption and ensures that the OpenShift nodes have that enabled. [1] https://docs.openshift.com/container-platform/latest/machine_management/creating_machinesets/creating-machineset-gcp.html#machineset-enabling-customer-managed-encryption_creating-machineset-gcp

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:

/apis/machine.openshift.io/v1beta1/machinesets?limit=500 API endpoint, filter with with the jq utility using the following filter [.items[] | select(.spec.template.spec.providerSpec.value.disks[0].encryptionKey.kmsKey.name != null) | .metadata.name] and persist it to the local /apis/machine.openshift.io/v1beta1/machinesets?limit=500#4de267a890d70235b0f43110ee972bee760ecce356b1e9cb910f99cc33a02cc2 file.

Rationale

The usage of disk encryption for the nodes protects the data at rest and ensures that an attacker cannot easily exfiltrate the machine contents which may contain private keys or other sensitive material.

ID: xccdf_org.ssgproject.content_rule_gcp_disk_encryption_enabled
Severity: High
References: Req-3.4.1

CCE-90357-5
Updated: about 1 year ago