CIS-2.1 - Ensure that the --cert-file and --key-file arguments are set as appropriate

Ensure that the --cert-file and --key-file arguments are set as appropriate

Framework

CIS

Severity

High

Description of the the issue

etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be encrypted in transit.

Related resources

Pod

What does this control test

Configure TLS encryption for the etcd service.

How to check it manually

Run the following command on the etcd server node

ps -ef | grep etcd

Verify that the --cert-file and the --key-file arguments are set as appropriate.

Remediation

Follow the etcd service documentation and configure TLS encryption.

Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters.

--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>

Impact Statement

Client connections only over TLS would be served.

Default Value

By default, TLS encryption is not set.

Example

No example