No client certificate for peer authentication in etcd

ID

etcd_peer_client_cert_auth_enabled

Severity

high

Vendor

Kubernetes

Resource

etcd

Tags

reachable

Description

Etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.

This check enforces client certificates for peer authentication in etcd. A flaw is reported when --peer-client-cert-auth is not set to true to perform peer authentication in etcd service.

Examples

apiVersion: v1
kind: Pod
metadata:
  name: etcd
spec:
  containers:
      - name: "etcd1"
        image: "b.gcr.io/kuar/etcd:2.2.0"
        args:
          - "--peer-client-cert-auth=false" (1)
  hostNetwork: true
1 Command argument --peer-client-cert-auth not set to true means etcd is not configured for peer authentication.

Mitigation / Fix

apiVersion: v1
kind: Pod
metadata:
  name: etcd
spec:
  containers:
      - name: "etcd1"
        image: "b.gcr.io/kuar/etcd:2.2.0"
        args:
          - "--peer-client-cert-auth=true" (1)
  hostNetwork: true
1 Command argument --peer-client-cert-auth set to true means etcd is configured for peer authentication.