Securing etcd
Please execute this command at master node, to see the values of configuration parameters / flags for etcd
ps -ef | grep etcd
As per section 2 of CIS Benchmark below table describe (1) parameter (2) its default value and (3) its desired value
| Flags | Default | Value |
| --cert-file | not set | Appropriate |
| --key-file | not set | Appropriate |
| --client-cert-auth | FALSE | TRUE |
| --auto-tls | FALSE | FALSE |
| --peer-client-file | Not Set | Appropriate |
| --peer-key-file | Not Set | Appropriate |
| --peer-client-cert-auth | FALSE | TRUE |
| --peer-auto-tls | FALSE | FALSE |
* --trusted-ca-file: this value should be different from --client-ca-file for API Server
Additional tips not in CIS Benchmark
* Restrict node access: Use Linux firewalls to ensure that only nodes that need access to etcd are allowed access.
* Encrypt data at rest: --encryption-provider-config is passed to the API server to ensure that data is encrypted at rest in etcd.
0 comments:
Post a Comment