For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/k8s/etcd_client_certificate_file_not_defined.md. A documentation index is available at /llms.txt.

etcd client certificate file not defined

This product is not supported for your selected Datadog site. ().

Metadata

Id: 3f5ff8a7-5ad6-4d02-86f5-666307da1b20

Cloud Provider: Kubernetes

Platform: Kubernetes

Severity: Medium

Category: Secret Management

Learn More

Description

When the kube-apiserver process is present in a Pod’s containers or initContainers, the --etcd-cafile flag should be set. The rule detects kube-apiserver in container command arrays and reports resources where the --etcd-cafile flag is not defined. Setting --etcd-cafile ensures the API server verifies etcd’s CA certificate.

Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: ["--etcd-cafile=/path/to/ca/file.pem"]
  restartPolicy: OnFailure

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver","--etcd-cafile=/path/to/ca/file.pem"]
      args: []
  restartPolicy: OnFailure

Non-Compliant Code Examples

apiVersion: v1
kind: Pod
metadata:
  name: command-demo
  labels:
    purpose: demonstrate-command
spec:
  containers:
    - name: command-demo-container
      image: gcr.io/google_containers/kube-apiserver-amd64:v1.6.0
      command: ["kube-apiserver"]
      args: []
  restartPolicy: OnFailure