Vulnerabilities
Misconfiguration
Runtime Security
Compliance
Compliance > Kubernetes > CIS - K3s CIS 1.24 >

Etcd Node Configuration

N/A
Source
Kube Bench
ID
2
Version
k3s-cis-1.24

2 Etcd Node Configuration

2.1 Ensure that the –cert-file and –key-file arguments are set as appropriate (Automated)

If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s generates cert and key files for etcd. These are located in /var/lib/rancher/k3s/server/tls/etcd/. If this check fails, ensure that the configuration file $etcdconf has not been modified to use custom cert and key files.

2.2 Ensure that the –client-cert-auth argument is set to true (Automated)

If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s sets the –client-cert-auth parameter to true. If this check fails, ensure that the configuration file $etcdconf has not been modified to disable client certificate authentication.

2.3 Ensure that the –auto-tls argument is not set to true (Automated)

If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s does not set the –auto-tls parameter. If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the –auto-tls parameter or set it to false. client-transport-security: auto-tls: false

2.4 Ensure that the –peer-cert-file and –peer-key-file arguments are set as appropriate (Automated)

If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s generates peer cert and key files for etcd. These are located in /var/lib/rancher/k3s/server/tls/etcd/. If this check fails, ensure that the configuration file $etcdconf has not been modified to use custom peer cert and key files.

2.5 Ensure that the –peer-client-cert-auth argument is set to true (Automated)

If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s sets the –peer-cert-auth parameter to true. If this check fails, ensure that the configuration file $etcdconf has not been modified to disable peer client certificate authentication.

2.6 Ensure that the –peer-auto-tls argument is not set to true (Automated)

If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s does not set the –peer-auto-tls parameter. If this check fails, edit the etcd pod specification file $etcdconf on the master node and either remove the –peer-auto-tls parameter or set it to false. peer-transport-security: auto-tls: false

2.7 Ensure that a unique Certificate Authority is used for etcd (Automated)

If running on with sqlite or a external DB, etcd checks are Not Applicable. When running with embedded-etcd, K3s generates a unique certificate authority for etcd. This is located at /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt. If this check fails, ensure that the configuration file $etcdconf has not been modified to use a shared certificate authority.

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use