For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-etcd-peer-tls-certificate-files-not-properly-set.md. A documentation index is available at /llms.txt.

etcd peer TLS certificate files not properly set

This product is not supported for your selected Datadog site. ().

Metadata

Id: kubernetes-etcd-peer-tls-certificate-files-not-properly-set

Platform: Kubernetes

Severity: High

Category: Networking and Firewall

Learn More

Description

When a container command includes etcd, the --peer-cert-file and --peer-key-file flags should be set. The rule inspects both initContainers and containers and reports a MissingAttribute when any required flag is not present in the container’s command. The result identifies the resource and the command position where the missing flag was detected.

Compliant Code Examples

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-etcd-deployment
spec:
  selector:
    matchLabels:
      app: app
  replicas: 1
  template:
    metadata:
      labels:
        app: app
        version: v1
    spec:
      serviceAccountName: database
      containers:
      - name: database
        image: gcr.io/google_containers/etcd:v3.2.18
        imagePullPolicy: IfNotPresent
        command: ["etcd"]
        args: ["--peer-cert-file=/etc/env/file.crt", "--peer-key-file=/etc/env/file2.key"]
      nodeSelector:
        kubernetes.io/hostname: worker02  
    restartPolicy: OnFailure

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-etcd-deployment
spec:
  selector:
    matchLabels:
      app: app
  replicas: 1
  template:
    metadata:
      labels:
        app: app
        version: v1
    spec:
      serviceAccountName: database
      containers:
      - name: database
        image: gcr.io/google_containers/etcd:v3.2.18
        imagePullPolicy: IfNotPresent
        command: ["etcd", "--peer-cert-file=/etc/env/file.crt", "--peer-key-file=/etc/env/file2.key"]
        args: []
      nodeSelector:
        kubernetes.io/hostname: worker02  
    restartPolicy: OnFailure

Non-Compliant Code Examples

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-etcd-deployment
spec:
  selector:
    matchLabels:
      app: app
  replicas: 1
  template:
    metadata:
      labels:
        app: app
        version: v1
    spec:
      serviceAccountName: database
      containers:
      - name: database
        image: gcr.io/google_containers/etcd:v3.2.18
        imagePullPolicy: IfNotPresent
        command: ["etcd"]
        args: ["--peer-cert-file=/etc/env/file.crt"]
      nodeSelector:
        kubernetes.io/hostname: worker02  
    restartPolicy: OnFailure

apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-etcd-deployment
spec:
  selector:
    matchLabels:
      app: app
  replicas: 1
  template:
    metadata:
      labels:
        app: app
        version: v1
    spec:
      serviceAccountName: database
      containers:
      - name: database
        image: gcr.io/google_containers/etcd:v3.2.18
        imagePullPolicy: IfNotPresent
        command: ["etcd"]
        args: ["--peer-key-file=/etc/env/file2.key"]
      nodeSelector:
        kubernetes.io/hostname: worker02  
    restartPolicy: OnFailure