Enable Inter-Node Transparent Encryption

Risk Level: High (not acceptable risk)

Enable encryption of in-transit data for Pod communications across Google Kubernetes Engine (GKE) cluster nodes with Customer-Managed Encryption Keys (CMEKs) in order to protect sensitive data from interception and providing greater control over encryption keys, ensuring compliance with regulatory and organizational requirements.

Security

By default, Google encrypts all in-transit data between virtual machines (VMs) at the network interface controller (NIC) level, ensuring data confidentiality regardless of the services or applications running on the VM, including Google Kubernetes Engine (GKE). This encryption applies to all GKE nodes and Pod traffic, with encryption keys managed by Google. Inter-node transparent encryption for GKE offers additional control over the encryption keys used to secure Pod traffic across GKE nodes. This encryption, performed using WireGuard within GKE Dataplane V2, supplements the default encryption provided at the VM NIC level. Having direct control over encryption keys in Google Kubernetes Engine (GKE) is particularly beneficial for regulated industries, where compliance and security audits are critical.

Inter-node transparent encryption is only available for GKE Dataplane V2 clusters enabled with the Google Kubernetes Engine (GKE) Enterprise edition.

Audit

To determine if inter-node transparent encryption is enabled for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Cluster Networking section, check the Inter-Node Transparent Encryption attribute value to determine the feature status. If Inter-Node Transparent Encryption is set to Disabled, inter-node transparent encryption is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

08 Repeat steps no. 5 – 7 for each GKE cluster available within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS:

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project:

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,ZONE)"

04 The command output should return the requested cluster names and their regions:

NAME: cc-gke-backend-cluster
ZONE: us-central1

NAME: cc-gke-frontend-cluster
ZONE: us-central1

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter and custom output filters to describe the Inter-Node Transparent Encryption feature status, available for the selected cluster:

gcloud container clusters describe cc-gke-backend-cluster
	--region=us-central1
	--format="value(networkConfig.inTransitEncryptionConfig)"

06 The command output should return the requested feature status:

IN_TRANSIT_ENCRYPTION_DISABLED

If the container clusters describe command output returns IN_TRANSIT_ENCRYPTION_DISABLED, as shown in the example above, inter-node transparent encryption is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable inter-node transparent encryption for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Cluster Networking section, ensure that Dataplane V2 is set to Enabled, then click on the Edit inter-node transparent encryption button (i.e., pencil icon) available next to Inter-Node Transparent Encryption to modify the encryption feature settings.

08 Inside the Edit inter-node transparent encryption configuration box, check the Enable Inter-Node Transparent Encryption setting checkbox to enable the feature, and choose SAVE CHANGES to apply the changes. This will encrypt pod-to-pod traffic between your GKE nodes with Wireguard within the selected GKE cluster.

09 Repeat steps no. 5 – 8 for each GKE cluster that you want to configure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to enable inter-node transparent encryption for your GKE cluster:

gcloud container clusters update cc-gke-backend-cluster
	--region=us-central1
	--in-transit-encryption inter-node-transparent

02 The command output should return the full URL of the modified GKE cluster:

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Google Cloud Platform (GCP) Documentation
Security overview
Encrypt your data in-transit in GKE with user-managed encryption keys
GKE Dataplane V2
GKE Enterprise technical overview

GCP Command Line Interface (CLI) Documentation
gcloud projects list
gcloud container clusters list
gcloud container clusters describe
gcloud container clusters update

Publication date Dec 2, 2024

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related GKE rules