MEDIUM M10: API Server Encryption P2

🟑 Pending πŸ“¦ Compare Branch

Overview

This remediation enables encryption at rest for etcd data in the OpenShift API server, protecting sensitive data stored in the cluster’s key-value store.

Settings

Setting Value Description
encryption.type aescbc Enable AES-CBC encryption at rest

Implementation

This requires modifying the APIServer custom resource:

apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  name: cluster
spec:
  encryption:
    type: aescbc

Apply with:

oc patch apiserver cluster --type merge -p '{"spec":{"encryption":{"type":"aescbc"}}}'

Compliance Checks Remediated

Check Profile Docs
ocp4-cis-api-server-encryption-provider-cipher CIS πŸ“–
ocp4-e8-api-server-encryption-provider-cipher E8 πŸ“–

Source Remediation Files

  • medium/ocp4-cis-api-server-encryption-provider-cipher.yaml
  • medium/ocp4-e8-api-server-encryption-provider-cipher.yaml

Verification

Check encryption status:

oc get apiserver cluster -o jsonpath='{.spec.encryption.type}'
# Expected: aescbc

# Verify encryption is active
oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.type}{" "}{.status}{" "}{.reason}{"\n"}{end}'

Security Impact

Encryption at rest ensures:

  • Secrets stored in etcd are encrypted
  • Stolen etcd backups are protected
  • Compliance with data protection requirements
  • Defense in depth for sensitive configuration
← M9 All Groups M11 →
Legend
Status
πŸ”΅ In Progress
🟑 Pending
βšͺ On Hold
🟒 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only