Documentation - V-257564

V-257564

Red Hat OpenShift Container Platform 4.x Security Technical Implementation Guide

CAT II

Title

OpenShift keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform.

Description

<VulnDiscussion>By default, etcd data is not encrypted in OpenShift Container Platform. Enable etcd encryption for the cluster to provide an additional layer of data security. For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties. When users enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted: Secrets Config maps Routes OAuth access tokens OAuth authorize tokens When users e...

Fix Text (Documentation Requirement)

Set API encryption type by executing the following: oc edit apiserver Set the encryption field type to aescbc: spec: encryption: type: aescbc Additional details about the configuration can be found in the documentation: https://docs.openshift.com/container-platform/4.8/security/encrypting-etcd.html

View Full STIG Details →

Documentation Status

Status

Documented Verified - link to a ship document Awaiting Review Evidence submitted, needs verification Pending Needs documentation Not Required Documentation not needed Not Applicable STIG doesn't apply

Notes (Optional)

Cancel