Ensure that the –etcd-certfile and –etcd-keyfile arguments are set as appropriate
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The Kubernetes API server is not configured with the –etcd-certfile and –etcd-keyfile arguments, meaning it communicates with etcd without TLS encryption. This leaves the connection between the API server and etcd unprotected and susceptible to interception.
Impact#
Without TLS, sensitive data transmitted between the API server and etcd can be intercepted or tampered with by an attacker on the network, potentially leading to unauthorized access to cluster secrets, data leakage, or modification of critical cluster state.
Resolution#
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd certificate and key file parameters.