Etcd uses self-signed certificates
ID |
etcd_auto_tls_not_enabled |
Severity |
low |
Vendor |
Kubernetes |
Resource |
etcd |
Tags |
reachable |
Description
Etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.
With --auto-tls=true, self-signed certificates are used. The detector reports this as a flaw.
Examples
apiVersion: v1
kind: Pod
metadata:
name: bad
spec:
containers:
- command:
- etcd
- --auto-tls=true (1)
name: bad-container
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}| 1 | A true value for the --auto-tls command argument means self-signed certificates are used for TLS. |
Mitigation / Fix
apiVersion: v1
kind: Pod
metadata:
name: good
spec:
containers:
- command:
- etcd
- --auto-tls=false (1)
name: good-container
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}| 1 | Do not use --auto-tls with a true value to avoid using self-signed certificates for TLS. |