N/A
Source
Kube Bench
ID
5.9
Version
gke-1.2.0

5.9 Storage

5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) (Manual)

Using Command Line: FOR NODE BOOT DISKS: Create a new node pool using customer-managed encryption keys for the node boot disk, of [DISK_TYPE] either pd-standard or pd-ssd :

gcloud beta container node-pools create [CLUSTER_NAME] \
  --disk-type [DISK_TYPE] \
  --boot-disk-kms-key \
  projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]

Create a cluster using customer-managed encryption keys for the node boot disk, of [DISK_TYPE] either pd-standard or pd-ssd :

gcloud beta container clusters create [CLUSTER_NAME] \
  --disk-type [DISK_TYPE] \
  --boot-disk-kms-key \
  projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]

FOR ATTACHED DISKS: Follow the instructions detailed at https://cloud.google.com/kubernetes- engine/docs/how-to/using-cmek.