Ensure that the –client-cert-auth argument is set to true
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The etcd service is not configured with the –client-cert-auth=true argument, meaning it does not require clients to present valid certificates for authentication. This leaves the etcd API accessible to unauthenticated clients.
Impact#
Without client certificate authentication, unauthorized users or processes could connect to etcd, potentially reading or modifying sensitive cluster data, leading to compromise of the Kubernetes control plane and broader cluster security.
Resolution#
Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameter.