Certificate or private key not set for peer authentication on etcd
ID |
etcd_peer_files |
Severity |
high |
Vendor |
Kubernetes |
Resource |
etcd |
Tags |
reachable |
Description
Etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be accessible only by authenticated etcd peers in the etcd cluster.
Thus, setting a proper value for the arguments --peer-cert-file and --peer-key-file is mandatory to keep connections safe to man-in-the-middle attacks.
Learn more about this topic at PKI certificates and requirements.
Examples
apiVersion: v1
kind: Pod
metadata:
name: bad (1)
spec:
containers:
- command:
- etcd
name: bad-container
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}| 1 | Missing --peer-cert-file and --peer-key-file command arguments means TLS encryption is not enabled for peer connections. |
Mitigation / Fix
apiVersion: v1
kind: Pod
metadata:
name: good
spec:
containers:
- command:
- etcd
- --peer-cert-file=file.pem (1)
- --peer-key-file=file.key (1)
name: good-container
image: k8s.gcr.io/etcd-amd64:3.2.18
imagePullPolicy: IfNotPresent
resources: {}
volumeMounts:
- mountPath: /var/lib/etcd
name: etcd-data
- mountPath: /etc/kubernetes/pki/etcd
name: etcd-certs
hostNetwork: true
priorityClassName: system-cluster-critical
volumes:
- hostPath:
path: /var/lib/etcd
type: DirectoryOrCreate
name: etcd-data
- hostPath:
path: /etc/kubernetes/pki/etcd
type: DirectoryOrCreate
name: etcd-certs
status: {}| 1 | Provided --peer-cert-file and --peer-key-file command arguments means TLS encryption is enabled for peer connections. |