Configure the Encryption Provider Cipher
An XCCDF Rule
Description
When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:
- Secrets
- ConfigMaps
- Routes
- OAuth access tokens
- OAuth authorize tokens
When you enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an etcd backup.
To ensure the correct cipher, set the encryption type aescbc in the
apiserver object which configures the API server itself.
spec:
encryption:
type: aescbc
For more information, follow the relevant documentation.
warning alert: Warning
-
{{if ne .hypershift_cluster "None"}}/apis/hypershift.openshift.io/v1beta1/namespaces/{{.hypershift_namespace_prefix}}/hostedclusters/{{.hypershift_cluster}}{{else}}/apis/config.openshift.io/v1/apiservers/cluster{{end}}API endpoint, filter with with thejqutility using the following filter{{if ne .hypershift_cluster "None"}}[.spec.secretEncryption.type]{{else}}[.spec.encryption.type]{{end}}and persist it to the local
Rationale
etcd is a highly available key-value store used by OpenShift deployments
for persistent storage of all REST API objects. These objects are
sensitive in nature and should be encrypted at rest to avoid any
disclosures. Where etcd encryption is used, it is important to ensure that the
appropriate set of encryption providers is used. Currently, aescbc
is the only type supported by OCP.
- ID
- xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher
- Severity
- Medium
- Updated
Remediation - Kubernetes Patch
---
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
spec: