CNF-22624: RAN Hardening (5.0) - API Encryption (M10)

[sebrandon1]

Summary

• MEDIUM severity finding from the ACSC Essential Eight compliance profile — enables AES-CBC encryption at rest for etcd (Secrets, ConfigMaps, Routes, OAuth tokens)
• APIServer CRD patch (not a MachineConfig, no node reboots)

Remediation Group

• M10: API Encryption

Jira

• CNF-22624
• Epic: CNF-22573 — RAN Hardening for 5.0

Test plan

• Apply APIServer CRD to OCP 5.0 cluster
• Verify encryption.type: aescbc set
• Encryption in progress for etcd resources

Supersedes #678 — migrated from compliance/4.22/* to compliance/5.0/* branch naming.

OCP 5.0 Verification (2026-06-22)

Cluster: cnfdt16 — OCP 5.0.0-0.nightly-2026-06-18-000016, RHCOS 10.2

Finding: Hardening still needed. OCP 5.0 does not enable etcd encryption at rest by default.

$ oc get apiserver cluster -o jsonpath='{.spec.encryption}'
{}   # (empty on fresh install — defaults to identity/no encryption)

The aescbc encryption on cnfdt16 was manually applied (generation: 2, kubectl-client-side-apply in managedFields). A fresh 5.0 install still requires this remediation.

Encryption key storage and threat model

With the default aescbc configuration, the encryption keys are stored on the same control plane nodes where etcd runs, specifically in /etc/kubernetes/static-pod-resources/kube-apiserver-pod-<revision>/secrets/encryption-config/encryption-config. The openshift-apiserver-operator rotates these keys every 7 days, preserving up to 10 historical keys for backup decryption.

Keys and data are co-located. The threat model is narrow:

• Defends against: etcd backup theft (keys are not inside the backup snapshot), cold disk forensics on decommissioned drives
• Does not defend against: control plane node root compromise (attacker reads the key file directly)

For genuine key separation, KMS integration (AWS KMS, Azure Key Vault, HashiCorp Vault) keeps the master key external to the cluster, but that is a deployment-specific choice outside the scope of the RDS reference config.

This configuration satisfies the ACSC Essential Eight / NIST SC-28 compliance requirement, which mandates demonstrating encryption at rest as defense-in-depth.

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-22624 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• MEDIUM severity API server encryption — enables AES-CBC encryption at rest for etcd (Secrets, ConfigMaps, Routes, OAuth tokens)
• APIServer CRD patch (not a MachineConfig, no node reboots)

Remediation Group

• M10: API Encryption

Jira

• CNF-22624
• Epic: CNF-22573 — RAN Hardening for 5.0

Test plan

• Apply APIServer CRD to OCP 5.0 cluster
• Verify encryption.type: aescbc set
• Encryption in progress for etcd resources

Supersedes #678 — migrated from compliance/4.22/* to compliance/5.0/* branch naming.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign marsik for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Review limit reached

@sebrandon1, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 42 minutes and 13 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 54dff7fe-5a2f-4a7e-b725-993071e3f568

📥 Commits

Reviewing files that changed from the base of the PR and between 8da6552 and 26e15d2.

📒 Files selected for processing (1)

• telco-ran/configuration/hardening/api-server/75-api-server-encryption.yaml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-22624 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• MEDIUM severity API server encryption — enables AES-CBC encryption at rest for etcd (Secrets, ConfigMaps, Routes, OAuth tokens)
• APIServer CRD patch (not a MachineConfig, no node reboots)

Remediation Group

• M10: API Encryption

Jira

• CNF-22624
• Epic: CNF-22573 — RAN Hardening for 5.0

Test plan

• Apply APIServer CRD to OCP 5.0 cluster
• Verify encryption.type: aescbc set
• Encryption in progress for etcd resources

Supersedes #678 — migrated from compliance/4.22/* to compliance/5.0/* branch naming.

OCP 5.0 Verification (2026-06-22)

Cluster: cnfdt16 — OCP 5.0.0-0.nightly-2026-06-18-000016, RHCOS 10.2

Finding: Hardening still needed. OCP 5.0 does not enable etcd encryption at rest by default.

$ oc get apiserver cluster -o jsonpath='{.spec.encryption}'
{}   # (empty on fresh install — defaults to identity/no encryption)

The aescbc encryption on cnfdt16 was manually applied (generation: 2, kubectl-client-side-apply in managedFields). A fresh 5.0 install still requires this remediation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-22624 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• MEDIUM severity finding from the ACSC Essential Eight compliance profile — enables AES-CBC encryption at rest for etcd (Secrets, ConfigMaps, Routes, OAuth tokens)
• APIServer CRD patch (not a MachineConfig, no node reboots)

Remediation Group

• M10: API Encryption

Jira

• CNF-22624
• Epic: CNF-22573 — RAN Hardening for 5.0

Test plan

• Apply APIServer CRD to OCP 5.0 cluster
• Verify encryption.type: aescbc set
• Encryption in progress for etcd resources

Supersedes #678 — migrated from compliance/4.22/* to compliance/5.0/* branch naming.

OCP 5.0 Verification (2026-06-22)

Cluster: cnfdt16 — OCP 5.0.0-0.nightly-2026-06-18-000016, RHCOS 10.2

Finding: Hardening still needed. OCP 5.0 does not enable etcd encryption at rest by default.

$ oc get apiserver cluster -o jsonpath='{.spec.encryption}'
{}   # (empty on fresh install — defaults to identity/no encryption)

The aescbc encryption on cnfdt16 was manually applied (generation: 2, kubectl-client-side-apply in managedFields). A fresh 5.0 install still requires this remediation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[MarSik]

Encrypted etcd has been requested many times, but the main question remains. Where is the encryption key stored? Is it on the same harddrive in the same machine? Is that secure at all or just placebo?

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-22624 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• MEDIUM severity finding from the ACSC Essential Eight compliance profile — enables AES-CBC encryption at rest for etcd (Secrets, ConfigMaps, Routes, OAuth tokens)
• APIServer CRD patch (not a MachineConfig, no node reboots)

Remediation Group

• M10: API Encryption

Jira

• CNF-22624
• Epic: CNF-22573 — RAN Hardening for 5.0

Test plan

• Apply APIServer CRD to OCP 5.0 cluster
• Verify encryption.type: aescbc set
• Encryption in progress for etcd resources

Supersedes #678 — migrated from compliance/4.22/* to compliance/5.0/* branch naming.

OCP 5.0 Verification (2026-06-22)

Cluster: cnfdt16 — OCP 5.0.0-0.nightly-2026-06-18-000016, RHCOS 10.2

Finding: Hardening still needed. OCP 5.0 does not enable etcd encryption at rest by default.

$ oc get apiserver cluster -o jsonpath='{.spec.encryption}'
{}   # (empty on fresh install — defaults to identity/no encryption)

The aescbc encryption on cnfdt16 was manually applied (generation: 2, kubectl-client-side-apply in managedFields). A fresh 5.0 install still requires this remediation.

Encryption key storage and threat model

With the default aescbc configuration, the encryption keys are stored on the same control plane nodes where etcd runs, specifically in /etc/kubernetes/static-pod-resources/kube-apiserver-pod-<revision>/secrets/encryption-config/encryption-config. The openshift-apiserver-operator rotates these keys every 7 days, preserving up to 10 historical keys for backup decryption.

Keys and data are co-located. The threat model is narrow:

• Defends against: etcd backup theft (keys are not inside the backup snapshot), cold disk forensics on decommissioned drives
• Does not defend against: control plane node root compromise (attacker reads the key file directly)

For genuine key separation, KMS integration (AWS KMS, Azure Key Vault, HashiCorp Vault) keeps the master key external to the cluster, but that is a deployment-specific choice outside the scope of the RDS reference config.

This configuration satisfies the ACSC Essential Eight / NIST SC-28 compliance requirement, which mandates demonstrating encryption at rest as defense-in-depth.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@sebrandon1: This pull request references CNF-22624 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• MEDIUM severity finding from the ACSC Essential Eight compliance profile — enables AES-CBC encryption at rest for etcd (Secrets, ConfigMaps, Routes, OAuth tokens)
• APIServer CRD patch (not a MachineConfig, no node reboots)

Remediation Group

• M10: API Encryption

Jira

• CNF-22624
• Epic: CNF-22573 — RAN Hardening for 5.0

Test plan

• Apply APIServer CRD to OCP 5.0 cluster
• Verify encryption.type: aescbc set
• Encryption in progress for etcd resources

Supersedes #678 — migrated from compliance/4.22/* to compliance/5.0/* branch naming.

OCP 5.0 Verification (2026-06-22)

Cluster: cnfdt16 — OCP 5.0.0-0.nightly-2026-06-18-000016, RHCOS 10.2

Finding: Hardening still needed. OCP 5.0 does not enable etcd encryption at rest by default.

$ oc get apiserver cluster -o jsonpath='{.spec.encryption}'
{}   # (empty on fresh install — defaults to identity/no encryption)

The aescbc encryption on cnfdt16 was manually applied (generation: 2, kubectl-client-side-apply in managedFields). A fresh 5.0 install still requires this remediation.

Encryption key storage and threat model

With the default aescbc configuration, the encryption keys are stored on the same control plane nodes where etcd runs, specifically in /etc/kubernetes/static-pod-resources/kube-apiserver-pod-<revision>/secrets/encryption-config/encryption-config. The openshift-apiserver-operator rotates these keys every 7 days, preserving up to 10 historical keys for backup decryption.

Keys and data are co-located. The threat model is narrow:

• Defends against: etcd backup theft (keys are not inside the backup snapshot), cold disk forensics on decommissioned drives
• Does not defend against: control plane node root compromise (attacker reads the key file directly)

For genuine key separation, KMS integration (AWS KMS, Azure Key Vault, HashiCorp Vault) keeps the master key external to the cluster, but that is a deployment-specific choice outside the scope of the RDS reference config.

This configuration satisfies the ACSC Essential Eight / NIST SC-28 compliance requirement, which mandates demonstrating encryption at rest as defense-in-depth.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sebrandon1]

Good question. With the default aescbc configuration, the encryption keys are stored on the same control plane nodes where etcd runs, specifically in /etc/kubernetes/static-pod-resources/kube-apiserver-pod-<revision>/secrets/encryption-config/encryption-config. The openshift-apiserver-operator rotates these keys every 7 days, preserving up to 10 historical keys for backup decryption.

So yes, keys and data are co-located. The threat model is narrow:

• Defends against: etcd backup theft (keys are not inside the backup snapshot), cold disk forensics on decommissioned drives
• Does not defend against: control plane node root compromise (attacker reads the key file directly)

For genuine key separation, KMS integration (AWS KMS, Azure Key Vault, HashiCorp Vault) keeps the master key external to the cluster, but that is a deployment-specific choice outside the scope of the RDS reference config.

This configuration satisfies the ACSC Essential Eight / NIST SC-28 compliance requirement, which mandates demonstrating encryption at rest as defense-in-depth. It is not a silver bullet, but it is a required layer.

I added a collapsed "Encryption key storage and threat model" section to the PR description as well.