No client authentication on etcd service
ID |
etcd_client_cert_auth |
Severity |
low |
Vendor |
Kubernetes |
Resource |
etcd |
Tags |
reachable |
Description
Etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.
This check demands strong authentication using TLS certificates for clients of the etcd service, and reports a flaw
when --client-cert-auth is not set to true to enable client authentication via valid certificates.
Examples
apiVersion: v1
kind: Pod
metadata:
name: bad
spec:
containers:
- command:
- etcd
- --client-cert-auth=false (1)
name: bad-container
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}| 1 | Command argument --client-cert-auth not set to true means etcd is not configured for client authentication via valid certificates. |
Mitigation / Fix
apiVersion: v1
kind: Pod
metadata:
name: good
spec:
containers:
- command:
- etcd
- --client-cert-auth=true (1)
name: good-container
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}| 1 | Command argument --client-cert-auth set to true means etcd is configured for client authentication via valid certificates. |