Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-3248

Update ocp4-cis-api-server-encryption-provider-cipher check and remediation

XMLWordPrintable

    • Quality / Stability / Reliability
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • CMP Sprint 105, CMP Sprint 106, CMP Sprint 107

      Current ComplianceRemediation object: ocp4-cis-api-server-encryption-provider-cipher
      enforces aescbc encryption. 

      However, for several releases already, API server supports also AES-GCM, which is stronger and it is the default in vanilla kubernetes as well.

       

      While the text of rule description is updated

      When you enable etcd encryption, encryption keys are created. These keys are rotated on a weekly basis. You must have these keys in order to restore from an etcd backup.
      To ensure the correct cipher, set the encryption type to aescbc or aesgcm in the apiserver object which configures the API server itself.

      the part below it's not

       
      In addition, the remediation also needs to be changed to enforce by default AES-GCM instead of AES-CBC

        1. image-2025-03-14-14-53-56-628.png
          211 kB
          Maria Simon Marcos
        2. image-2025-03-14-14-56-55-003.png
          277 kB
          Maria Simon Marcos

              wsato@redhat.com Watson Sato
              rh-ee-masimonm Maria Simon Marcos
              Anna Koudelkova Anna Koudelkova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: