Profile applicability: Level 1 - Master Node
Configure TLS encryption for the etcd service.
etcd is a highly-available key value store used by Kubernetes deployments for persistent
storage of all of its REST API objects. These objects are sensitive in nature and
should be
encrypted in transit.
 |
NoteBy default, TLS encryption is not set.
|
Impact
Client connections only over TLS would be served.
Audit
Run the following command on the etcd server node:
ps -ef | grep etcd
Verify that the
--cert-file and the --key-file arguments are
set as appropriate.Remediation
Follow the etcd service documentation and configure TLS encryption. Then, edit the
etcd pod
specification file
/etc/kubernetes/manifests/etcd.yaml on the master node and
set the below parameters.--cert-file=</path/to/ca-file> --key-file=</path/to/key-file>