C-0155 - Ensure that the --auto-tls argument is not set to true
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should not be available to unauthenticated clients. You should enable the client authentication via valid certificates to secure the access to the etcd service.
Related resources
Pod
What does this control test
Do not use self-signed certificates for TLS.
How to check it manually
Run the following command on the etcd server node:
ps -ef | grep etcd
Verify that if the --auto-tls
argument exists, it is not set to true
.
Remediation
Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
on the master node and either remove the --auto-tls
parameter or set it to false
.
--auto-tls=false
Impact Statement
Clients will not be able to use self-signed certificates for TLS.
Default Value
By default, --auto-tls
is set to false
.
Example
No example
Updated 4 months ago