📞📱☎️📡🌐 Cloud Native Telecom Initiative (CNTI) Test Catalog is a tool to check for and provide feedback on the use of K8s + cloud native best practices in networking applications and platforms
By default in kubernetes system, encrypting of data inside object like configmaps is not enabled, so data in etcd are available for potential attacker.
Encrypting of configmaps is possible in newer versions of kubernetes. When this configuration is done, all newly created configmaps has encrypted data in etcd key-value store.
This testcase creates new sonfigmap with random suffix (to avoid confilct). Then we will use similar command in etcd pod to verify if encryption is working:
ETCDCTL_API=3 etcdctl \ --cacert=/etc/kubernetes/pki/etcd/ca.crt \ --cert=/etc/kubernetes/pki/etcd/server.crt \ --key=/etc/kubernetes/pki/etcd/server.key \ get /registry/configmaps/default/my-configmap | hexdump -C
Issues:
Refs: #1994
How has this been tested:
[ ] Covered by existing integration testing
[ ] Added integration testing to cover
[ ] Verified all A/C passes
[ ] develop
[ ] master
[ ] tag/other branch
[ ] Test environment
[ ] Shared Packet K8s cluster
[ ] New Packet K8s cluster
[X] Kind cluster
[ ] Have not tested
Types of changes:
[ ] Bug fix (non-breaking change which fixes an issue)
[X] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
[x] Documentation update
Checklist:
Documentation
[ ] My change requires a change to the documentation.
[x] I have updated the documentation accordingly.
[ ] No updates required.
Code Review
[ ] Does the test handle fatal exceptions, ie. rescue block
Description
By default in kubernetes system, encrypting of data inside object like configmaps is not enabled, so data in etcd are available for potential attacker. Encrypting of configmaps is possible in newer versions of kubernetes. When this configuration is done, all newly created configmaps has encrypted data in etcd key-value store. This testcase creates new sonfigmap with random suffix (to avoid confilct). Then we will use similar command in etcd pod to verify if encryption is working:
ETCDCTL_API=3 etcdctl \ --cacert=/etc/kubernetes/pki/etcd/ca.crt \ --cert=/etc/kubernetes/pki/etcd/server.crt \ --key=/etc/kubernetes/pki/etcd/server.key \ get /registry/configmaps/default/my-configmap | hexdump -C
Issues:
Refs: #1994
How has this been tested:
Types of changes:
Checklist:
Documentation
Code Review
Issue