Is the information stored inside GKE "etcd" encrypted?

6/19/2019

I am using GKE(Google Kubernetes Engine) 1.13.6-gke.6 and I need to provide etcd encryption evidence for PCI purposes.
I have used --data-encryption-key flag and used a KMS key to encrypt secrets following this documentation.

I need to give a set of commands which will prove that the information stored in etcd of the master node is encrypted.

Here is how we verify that the secrets stored inside a normal Kuebrnetes Cluster (not GKE) are encrypted.

As we know GKE is a managed service and master node is managed by GCP. Is there a way to access GKE "etcd" to see the stored secrets and data at rest ?

-- Amit Yadav
etcd
google-kubernetes-engine
kubectl
kubernetes

1 Answer

6/19/2019

Why do you have to prove that the information is encrypted? GKE is covered by Google Cloud's PCI DSS certification and since the master is a part of the "cluster as a service" that should be out of scope for what you need to show since you don't (and can't) control the way in which the storage is implemented.

One thing you can do is use Application-layer Secrets Encryption to encrypt your secrets with your own key stored in Cloud KMS. For your secrets you would be able to run commands to prove that additional level of encryption.

-- Robert Bailey
Source: StackOverflow