Ensure the --etcd-certfile and --etcd-keyfile arguments are set appropriately

Error: The --etcd-certfile and --etcd-keyfile arguments are not set appropriately

Bridgecrew Policy ID: BC_K8S_74
Checkov Check ID: CKV_K8S_99
Severity: HIGH

The --etcd-certfile and --etcd-keyfile arguments are not set appropriately

Description

etcd should be configured to make use of TLS encryption for client connections.
etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.

Fix - Buildtime

Kubernetes

  • Kind: Pod
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --etcd-certfile=/path/to/cert
    - --etcd-keyfile=/path/to/key
    image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 127.0.0.1
        path: /healthz
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 15
      timeoutSeconds: 15
    name: kube-apiserver-should-pass
    resources:
      requests:
        cpu: 250m
    volumeMounts:
    - mountPath: /etc/kubernetes/
      name: k8s
      readOnly: true
    - mountPath: /etc/ssl/certs
      name: certs
    - mountPath: /etc/pki
      name: pki
  hostNetwork: true
  volumes:
  - hostPath:
      path: /etc/kubernetes
    name: k8s
  - hostPath:
      path: /etc/ssl/certs
    name: certs
  - hostPath:
      path: /etc/pki
    name: pki