Ensure that encryption of in-transit data for Pod communications across Google Kubernetes Engine (GKE) cluster nodes is enabled with Customer-Managed Encryption Keys (CMEKs). This feature, which requires GKE Dataplane V2, provides additional encryption on top of the default VM NIC-level encryption using WireGuard.
PoC代码[已公开]
id: gcloud-gke-transparent-encryption-disabled
info:
name: GKE Clusters Without Inter-Node Transparent Encryption
author: princechaddha
severity: high
description: |
Ensure that encryption of in-transit data for Pod communications across Google Kubernetes Engine (GKE) cluster nodes is enabled with Customer-Managed Encryption Keys (CMEKs). This feature, which requires GKE Dataplane V2, provides additional encryption on top of the default VM NIC-level encryption using WireGuard.
impact: |
Without inter-node transparent encryption enabled, pod-to-pod traffic across nodes relies solely on default VM NIC-level encryption, potentially not meeting regulatory requirements for industries that need direct control over encryption keys.
remediation: |
Enable inter-node transparent encryption for your GKE clusters using:
gcloud container clusters update CLUSTER_NAME --region=REGION --in-transit-encryption inter-node-transparent
reference:
- https://cloud.google.com/kubernetes-engine/docs/how-to/encrypt-in-transit
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/GKE/enable-inter-node-transparent-encryption.html
tags: cloud,devops,gcp,gcloud,gke,kubernetes,security,encryption,gcp-cloud-config
flow: |
code(1)
for(let projectId of iterate(template.projectIds)){
set("projectId", projectId)
code(2)
for(let cluster of iterate(template.clusters)){
cluster = JSON.parse(cluster)
set("clusterName", cluster.name)
set("location", cluster.location)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
gcloud projects list --format="json(projectId)"
extractors:
- type: json
name: projectIds
internal: true
json:
- '.[].projectId'
- engine:
- sh
- bash
source: |
gcloud container clusters list --project $projectId --format="json(name,location)"
extractors:
- type: json
name: clusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
gcloud container clusters describe $clusterName --location $location --project $projectId --format="value(networkConfig.inTransitEncryptionConfig)"
matchers:
- type: word
words:
- "IN_TRANSIT_ENCRYPTION_DISABLED"
extractors:
- type: dsl
dsl:
- '"GKE cluster " + clusterName + " in " + location + " of project " + projectId + " does not have inter-node transparent encryption enabled"'
# digest: 4a0a00473045022037f5b9a1e34669bb84b2f33ea9e66f6b42ca285fd5aec7174ec92c92a67c84ff022100c63d608fe49f7085008a749eb81f4d6e86cdf90442d6da23bda82a6bd47012a5:922c64590222798bb761d5b6d8e72950