Detections
Analytics
Ensure that the --auto-tls argument is not set to true
MEDIUM
Description
Description:
Do not use self-signed certificates for TLS.
Rationale:
etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.
Clients will not be able to use self-signed certificates for TLS.
Remediation
Edit the etcd pod specification file '/etc/kubernetes/manifests/etcd.yaml' on the master node and either remove the '--auto-tls' parameter or set it to 'false'.
--auto-tls=false
.
Policy Details
Rule Reference ID: AC_K8S_0060
CSP: Kubernetes
Remediation Available: No
Domain: Infrastructure Security
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod