Etcd Node Configuration Files

2 Etcd Node Configuration Files

2.1 Ensure that the –cert-file and –key-file arguments are set as appropriate if use etcd as database (Automated)

Recommended Action

By default, K3s uses a config file for etcd that can be found at $etcdconf. The config file contains client-transport-security: which has fields that have the peer cert and peer key files. No manual remediation needed.

2.2 Ensure that the –client-cert-auth argument is set to true (Automated)

Recommended Action

By default, K3s uses a config file for etcd that can be found at $etcdconf. client-cert-auth is set to true. No manual remediation needed.

2.3 Ensure that the –auto-tls argument is not set to true (Automated)

Recommended Action

By default, K3s starts Etcd without this flag. It is set to false by default.

2.4 Ensure that the –peer-cert-file and –peer-key-file arguments are set as appropriate (Automated)

Recommended Action

By default, K3s starts Etcd with a config file found here, $etcdconf. The config file contains peer-transport-security: which has fields that have the peer cert and peer key files.

2.5 Ensure that the –peer-client-cert-auth argument is set to true (Automated)

Recommended Action

By default, K3s uses a config file for etcd that can be found at $etcdconf. The config file contains peer-transport-security: which has client-cert-auth set to true. No manual remediation needed.

2.6 Ensure that the –peer-auto-tls argument is not set to true (Automated)

Recommended Action

By default, K3s uses a config file for etcd that can be found at $etcdconf. Within the file, it does not contain the peer-auto-tls field. No manual remediation needed.

2.7 Ensure that a unique Certificate Authority is used for etcd (Manual)

Recommended Action

By default, K3s uses a config file for etcd that can be found at $etcdconf and the trusted-ca-file parameters in it are set to unique values specific to etcd. No manual remediation needed.