TF 0295 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --encryption-provider-config argument is set as appropriate
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The Kubernetes API server is not configured with the --encryption-provider-config flag, meaning etcd data is stored unencrypted. This exposes sensitive cluster data at rest to potential unauthorized access.
Impact
If exploited, attackers with access to the etcd datastore can read sensitive information such as secrets, keys, and user data in plaintext, increasing the risk of data breaches and compromising cluster security.
Resolution
Follow the Kubernetes documentation and configure a EncryptionConfig file. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --encryption-provider-config parameter to the path of that file