Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate

MEDIUM

Description

Description:

etcd should be configured to make use of TLS encryption for peer connections.

Rationale:

etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit and also amongst peers in the etcd clusters.

etcd cluster peers would need to set up TLS for their communication.

Remediation

Follow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster.

Then, edit the etcd pod specification file '/etc/kubernetes/manifests/etcd.yaml' on the master node and set the below parameters.

--peer-client-file=</path/to/peer-cert-file>
--peer-key-file=</path/to/peer-key-file>
.

Policy Details

Rule Reference ID: AC_K8S_0061

CSP: Kubernetes

Remediation Available: No

Domain: Infrastructure Security

Resource: kubernetes_pod

Resource Category: Compute

Resource Type: Pod

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CIS Kubernetes v1.6.1 Level 1 - Master Node
CIS Kubernetes v1.4.0 Level 1

Detections

Analytics