Ensure that the –cert-file and –key-file arguments are set as appropriate
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The etcd service is not configured with the –cert-file and –key-file arguments, meaning TLS encryption is not enforced for client connections. This leaves etcd traffic unencrypted and susceptible to interception.
Impact#
Without TLS, sensitive data stored in etcd can be transmitted in plain text over the network, allowing attackers to eavesdrop, tamper with data, or impersonate legitimate clients. This can lead to unauthorized data access, privilege escalation, or compromise of the entire Kubernetes cluster.
Resolution#
Follow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters.