Ensure that the –peer-client-cert-auth argument is set to true
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
The etcd service is not configured to require peer authentication using client certificates (–peer-client-cert-auth not set to true), allowing peers to connect without verifying their identity. This weakens the security of communications between etcd nodes in a Kubernetes cluster.
Impact#
Without peer client certificate authentication, malicious or unauthorized nodes could join the etcd cluster, potentially leading to data compromise, cluster disruption, or unauthorized access to sensitive cluster information.
Resolution#
Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameter.