etcd peer client certificate authentication set to false
This product is not supported for your selected
Datadog site. (
).
Id: b7d0181d-0a9b-4611-9d1c-1ad4f0b620ff
Cloud Provider: Kubernetes
Platform: Kubernetes
Severity: Medium
Category: Secret Management
Learn More
Description
When using etcd, the --peer-client-cert-auth flag should be set to true. If the flag is set to false or not defined, peer client certificate authentication will be disabled, reducing cluster security.
Compliant Code Examples
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-etcd-deployment
spec:
selector:
matchLabels:
app: app
replicas: 1
template:
metadata:
labels:
app: app
version: v1
spec:
serviceAccountName: database
containers:
- name: database
image: gcr.io/google_containers/etcd:v3.2.18
imagePullPolicy: IfNotPresent
command: ["etcd"]
args: ["--peer-client-cert-auth=true"]
nodeSelector:
kubernetes.io/hostname: worker02
restartPolicy: OnFailure
Non-Compliant Code Examples
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-etcd-deployment
spec:
selector:
matchLabels:
app: app
replicas: 1
template:
metadata:
labels:
app: app
version: v1
spec:
serviceAccountName: database
containers:
- name: database
image: gcr.io/google_containers/etcd:v3.2.18
imagePullPolicy: IfNotPresent
command: ["etcd"]
args: []
nodeSelector:
kubernetes.io/hostname: worker02
restartPolicy: OnFailure
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-etcd-deployment
spec:
selector:
matchLabels:
app: app
replicas: 1
template:
metadata:
labels:
app: app
version: v1
spec:
serviceAccountName: database
containers:
- name: database
image: gcr.io/google_containers/etcd:v3.2.18
imagePullPolicy: IfNotPresent
command: ["etcd"]
args: ["--peer-client-cert-auth=false"]
nodeSelector:
kubernetes.io/hostname: worker02
restartPolicy: OnFailure
