Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - ACK 1.0 > Etcd Node Configuration >

Etcd Node Configuration Files

N/A
Source
Kube Bench
ID
2
Version
ack-1.0

2 Etcd Node Configuration Files

2.1 Ensure that the –cert-file and –key-file arguments are set as appropriate (Automated)

Follow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters. –cert-file=</path/to/ca-file> –key-file=</path/to/key-file>

2.2 Ensure that the –client-cert-auth argument is set to true (Automated)

Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. –client-cert-auth=“true”

2.3 Ensure that the –auto-tls argument is not set to true (Automated)

Edit the etcd pod specification file $etcdconf on the master node and either remove the –auto-tls parameter or set it to false. –auto-tls=false

2.4 Ensure that the –peer-cert-file and –peer-key-file arguments are set as appropriate (Automated)

Follow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameters. –peer-client-file=</path/to/peer-cert-file> –peer-key-file=</path/to/peer-key-file>

2.5 Ensure that the –peer-client-cert-auth argument is set to true (Automated)

Edit the etcd pod specification file $etcdconf on the master node and set the below parameter. –peer-client-cert-auth=true

2.6 Ensure that the –peer-auto-tls argument is not set to true (Automated)

Edit the etcd pod specification file $etcdconf on the master node and either remove the –peer-auto-tls parameter or set it to false. –peer-auto-tls=false

2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)

[Manual test] Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. Then, edit the etcd pod specification file $etcdconf on the master node and set the below parameter. –trusted-ca-file=</path/to/ca-file>

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2023 Aqua Security Software Ltd.   Privacy Policy | Terms of Use