Ensure that the –etcd-cafile argument is set as appropriate
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is not configured with the –etcd-cafile argument, meaning it may connect to etcd without verifying the server’s TLS certificate authority. This weakens the security of communication between the API server and etcd.
Impact#
Without certificate authority verification, attackers could perform man-in-the-middle attacks, intercepting or tampering with sensitive data between the API server and etcd. This can lead to unauthorized access, data breaches, or compromise of the Kubernetes control plane.
Resolution#
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd certificate authority file parameter.