ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2025-12-19 05:17:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(kubernetes): enhance metadata for etcd service (#9096)

Browse Source 
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
This commit is contained in:
Rubén De la Torre Vico
2025-11-17 12:30:21 +01:00
committed by GitHub
parent 4f8e8ed935
commit 0f43789666
8 changed files with 117 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
prowler/CHANGELOG.md
View File

@@ -33,6 +33,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Update AWS EKS service metadata to new format [(#8890)](https://github.com/prowler-cloud/prowler/pull/8890)
- Update AWS Elastic Beanstalk service metadata to new format [(#8934)](https://github.com/prowler-cloud/prowler/pull/8934)
- Update AWS ElastiCache service metadata to new format [(#8933)](https://github.com/prowler-cloud/prowler/pull/8933)
- Update Kubernetes etcd service metadata to new format [(#9096)](https://github.com/prowler-cloud/prowler/pull/9096)
- Update MongoDB Atlas projects service metadata to new format [(#9093)](https://github.com/prowler-cloud/prowler/pull/9093)
- Update GitHub Organization service metadata to new format [(#9094)](https://github.com/prowler-cloud/prowler/pull/9094)
- Update AWS CodeBuild service metadata to new format [(#8851)](https://github.com/prowler-cloud/prowler/pull/8851)
@@ -55,7 +56,6 @@ All notable changes to the **Prowler SDK** are documented in this file.
- Raise ASFF output error for non-AWS providers [(#9225)](https://github.com/prowler-cloud/prowler/pull/9225)
- Update AWS ECR service metadata to new format [(#8872)](https://github.com/prowler-cloud/prowler/pull/8872)
---
## [v5.13.2] (Prowler UNRELEASED)

31
prowler/providers/kubernetes/services/etcd/etcd_client_cert_auth/etcd_client_cert_auth.metadata.json
View File

@@ -1,31 +1,36 @@
{
"Provider": "kubernetes",
"CheckID": "etcd_client_cert_auth",
"CheckTitle": "Ensure that the --client-cert-auth argument is set to true for etcd",
"CheckTitle": "Etcd pod has client certificate authentication enabled (--client-cert-auth=true)",
"CheckType": [],
"ServiceName": "etcd",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "EtcdService",
"Description": "This check ensures that client authentication is enabled for the etcd service, which is a key-value store used by Kubernetes for persistent storage of all REST API objects. Enabling client authentication helps in securing access to etcd.",
"Risk": "If --client-cert-auth is not set to true, etcd service may be accessible by unauthenticated clients, posing a significant security risk.",
"RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
"ResourceType": "Pod",
"Description": "**Etcd** is configured to require **TLS client certificate authentication** when the etcd container includes `--client-cert-auth`, so client access is validated with trusted certificates.",
"Risk": "Without **mTLS client auth**, any reachable client can query or mutate etcd:\n- Confidentiality: exposure of Secrets and cluster metadata\n- Integrity: tampering with RBAC, pods, and configs\n- Availability: destructive writes can disrupt the control plane",
"RelatedUrl": "",
"AdditionalURLs": [
"https://etcd.io/docs/latest/op-guide/security/",
"https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/"
],
"Remediation": {
"Code": {
"CLI": "--client-cert-auth=true",
"NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-client-cert-auth-argument-is-set-to-true",
"Other": "",
"Terraform": ""
"CLI": "",
"NativeIaC": "",
"Other": "1. SSH to the control plane node that runs etcd\n2. Edit the static pod manifest: /etc/kubernetes/manifests/etcd.yaml\n3. Under spec.containers[0].command (or args), add:\n ```\n - --client-cert-auth=true # Critical: enables client certificate authentication\n ```\n4. Save the file; kubelet will restart the etcd pod automatically\n5. Repeat on each control-plane node hosting an etcd pod",
"Terraform": "```hcl\n# Enable client certificate authentication on etcd\nresource \"kubernetes_pod\" \"<example_resource_name>\" {\n metadata {\n name = \"<example_resource_name>\"\n namespace = \"kube-system\"\n }\n spec {\n container {\n name = \"etcd\"\n image = \"gcr.io/etcd-development/etcd:v3.5.13\"\n command = [\n \"etcd\",\n \"--client-cert-auth=true\" # Critical: enables client cert auth to pass the check\n ]\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Enable client certificate authentication for the etcd service for improved security.",
"Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
"Text": "Enforce **mutual TLS** for etcd clients by requiring validated certificates (`--client-cert-auth=true`) issued by a trusted CA.\n\nRestrict network access to etcd to API servers, rotate keys regularly, and apply **least privilege** and **separation of duties** for certificate management.",
"Url": "https://hub.prowler.com/check/etcd_client_cert_auth"
}
},
"Categories": [
"encryption",
"trustboundaries"
"cluster-security",
"identity-access",
"encryption"
],
"DependsOn": [],
"RelatedTo": [],

27
prowler/providers/kubernetes/services/etcd/etcd_no_auto_tls/etcd_no_auto_tls.metadata.json
View File

@@ -1,31 +1,36 @@
{
"Provider": "kubernetes",
"CheckID": "etcd_no_auto_tls",
"CheckTitle": "Ensure that the --auto-tls argument is not set to true for etcd",
"CheckTitle": "Etcd pod has --auto-tls disabled",
"CheckType": [],
"ServiceName": "etcd",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "EtcdService",
"Description": "This check ensures that etcd does not use self-signed certificates for TLS, which are less secure than certificates from a trusted authority. Avoiding self-signed certificates enhances the security of etcd.",
"Risk": "Using --auto-tls=true may result in the use of self-signed certificates, reducing the overall security of the etcd service.",
"RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
"ResourceType": "Pod",
"Description": "**Etcd** configuration is reviewed for the `--auto-tls` option, which enables automatically generated self-signed certificates for client TLS.\n\nPresence of this flag indicates self-signed TLS is used; absence indicates client TLS relies on externally managed certificates.",
"Risk": "Using **self-signed auto TLS** weakens identity assurance, enabling spoofed endpoints and **man-in-the-middle** on etcd client traffic. Attackers could read or alter Kubernetes state in etcd, impacting **confidentiality** and **integrity**, and facilitating control-plane takeover or data exfiltration.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/",
"https://etcd.io/docs/latest/op-guide/security/",
"https://etcd.io/docs/v3.2/op-guide/security/"
],
"Remediation": {
"Code": {
"CLI": "--auto-tls=false",
"NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-auto-tls-argument-is-not-set-to-true",
"Other": "",
"CLI": "",
"NativeIaC": "",
"Other": "1. SSH to the control plane node running etcd\n2. Edit the static Pod manifest: sudo vi /etc/kubernetes/manifests/etcd.yaml\n3. In containers -> command or args, remove any occurrence of --auto-tls or --auto-tls=true (do not set it to false)\n4. Save and exit; kubelet will recreate the etcd pod automatically\n5. Verify the flag is absent: kubectl -n kube-system get pod -l component=etcd -o yaml | grep -q \"auto-tls\" || echo \"PASS: --auto-tls not set\"",
"Terraform": ""
},
"Recommendation": {
"Text": "Ensure etcd is not using self-signed certificates for TLS.",
"Url": "https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/"
"Text": "Disable `--auto-tls` and use **CA-signed certificates** with **mutual TLS** for etcd clients. Apply managed PKI to enforce trusted CAs, rotate and revoke keys, and prefer modern TLS versions and strong cipher suites. Monitor certificate expiry and limit access per **least privilege** for **defense in depth**.",
"Url": "https://hub.prowler.com/check/etcd_no_auto_tls"
}
},
"Categories": [
"encryption",
"internet-exposed"
"cluster-security"
],
"DependsOn": [],
"RelatedTo": [],

27
prowler/providers/kubernetes/services/etcd/etcd_no_peer_auto_tls/etcd_no_peer_auto_tls.metadata.json
View File

@@ -1,31 +1,36 @@
{
"Provider": "kubernetes",
"CheckID": "etcd_no_peer_auto_tls",
"CheckTitle": "Ensure that the --peer-auto-tls argument is not set to true for etcd",
"CheckTitle": "Etcd pod does not use automatically generated self-signed certificates for peer TLS connections",
"CheckType": [],
"ServiceName": "etcd",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "EtcdService",
"Description": "This check ensures that etcd is not configured to use automatically generated self-signed certificates for TLS connections between peers. Using self-signed certificates for peer authentication is discouraged in a production environment.",
"Risk": "Using self-signed certificates can lead to insecure communications between etcd peers, compromising data security.",
"RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
"ResourceType": "Pod",
"Description": "**Etcd peer TLS** configuration is evaluated by checking etcd containers for the `--peer-auto-tls` flag. Presence of `--peer-auto-tls` indicates peers use automatically generated self-signed certificates for inter-peer connections.",
"Risk": "With `--peer-auto-tls`, traffic is encrypted but peer identity isn't verified, enabling:\n- MITM on peer links\n- Rogue member joins to read/modify data\n- Quorum disruption\n\nThis degrades **confidentiality**, **integrity**, and **availability** of control-plane state replicated in etcd.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://etcd.io/docs/latest/op-guide/security/",
"https://etcd.io/docs/v3.4/op-guide/security/",
"https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/"
],
"Remediation": {
"Code": {
"CLI": "--peer-auto-tls=false",
"NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-peer-auto-tls-argument-is-not-set-to-true",
"Other": "",
"CLI": "",
"NativeIaC": "",
"Other": "1. SSH to the control-plane node running etcd\n2. Open /etc/kubernetes/manifests/etcd.yaml\n3. In the etcd container args/command, remove any entry that starts with --peer-auto-tls\n4. Save the file; the kubelet will restart etcd automatically",
"Terraform": ""
},
"Recommendation": {
"Text": "Ensure etcd is not using automatically generated self-signed certificates for peer TLS connections.",
"Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/"
"Text": "Disable `--peer-auto-tls` and use **mTLS** with a trusted CA issuing unique per-member peer certificates. Enforce SAN validation and, *where supported*, peer certificate authentication. Apply **least privilege**, separate CAs for peers/clients, rotate keys, and monitor certificate expiry and peer membership.",
"Url": "https://hub.prowler.com/check/etcd_no_peer_auto_tls"
}
},
"Categories": [
"encryption",
"internet-exposed"
"cluster-security"
],
"DependsOn": [],
"RelatedTo": [],

31
prowler/providers/kubernetes/services/etcd/etcd_peer_client_cert_auth/etcd_peer_client_cert_auth.metadata.json
View File

@@ -1,31 +1,36 @@
{
"Provider": "kubernetes",
"CheckID": "etcd_peer_client_cert_auth",
"CheckTitle": "Ensure that the --peer-client-cert-auth argument is set to true for etcd",
"CheckTitle": "Etcd pod has peer client certificate authentication enabled",
"CheckType": [],
"ServiceName": "etcd",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "EtcdService",
"Description": "This check ensures that etcd is configured for peer authentication by verifying that the --peer-client-cert-auth argument is set to true. This configuration is crucial to ensure that etcd peers in the cluster are authenticated and secure.",
"Risk": "Failing to configure peer client authentication can lead to unauthorized access to the etcd cluster, compromising sensitive data.",
"RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
"ResourceType": "Pod",
"Description": "**Etcd** requires **peer client certificate authentication** for inter-member traffic via `--peer-client-cert-auth=true` set in the etcd container command",
"Risk": "Without peer authentication, a rogue host can impersonate a member, eavesdrop on or alter Raft traffic, inject state, and disrupt elections-compromising **confidentiality** (state leakage), **integrity** (malicious writes), and **availability** (cluster instability/outage).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://etcd.io/docs/latest/op-guide/security/",
"https://etcd.io/docs/v3.6/op-guide/configuration/",
"https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
],
"Remediation": {
"Code": {
"CLI": "--peer-client-cert-auth=true",
"NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-peer-client-cert-auth-argument-is-set-to-true",
"Other": "",
"Terraform": ""
"CLI": "",
"NativeIaC": "",
"Other": "1. SSH to the control-plane node\n2. Edit the etcd static Pod manifest: /etc/kubernetes/manifests/etcd.yaml\n3. In spec.containers[0].command, add this entry:\n - --peer-client-cert-auth=true\n (Critical: enables peer client certificate authentication)\n4. Save the file; the kubelet will automatically restart the etcd Pod\n5. Verify the Pod's container command includes --peer-client-cert-auth=true",
"Terraform": "```hcl\nresource \"kubernetes_pod\" \"<example_resource_name>\" {\n metadata {\n name = \"<example_resource_name>\"\n namespace = \"kube-system\"\n }\n spec {\n container {\n name = \"etcd\"\n image = \"registry.k8s.io/etcd:3.5.12-0\"\n command = [\n \"etcd\",\n \"--peer-client-cert-auth=true\" # Critical: enables peer client certificate authentication for peer traffic\n ]\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Ensure etcd is configured for peer client certificate authentication.",
"Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
"Text": "Enforce **mTLS** for etcd peers with client certificate auth. Use a dedicated CA, validate SANs, and apply **least privilege** to issued certs. Rotate and revoke certificates regularly, restrict network access to peer ports, and avoid auto-generated self-signed peer TLS to maintain strong identity assurance.",
"Url": "https://hub.prowler.com/check/etcd_peer_client_cert_auth"
}
},
"Categories": [
"encryption",
"internet-exposed"
"cluster-security",
"identity-access"
],
"DependsOn": [],
"RelatedTo": [],

28
prowler/providers/kubernetes/services/etcd/etcd_peer_tls_config/etcd_peer_tls_config.metadata.json
View File

@@ -1,31 +1,35 @@
{
"Provider": "kubernetes",
"CheckID": "etcd_peer_tls_config",
"CheckTitle": "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate for etcd",
"CheckTitle": "Etcd pod uses TLS for peer connections",
"CheckType": [],
"ServiceName": "etcd",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "EtcdService",
"Description": "This check ensures that etcd is configured to use TLS encryption for peer connections, which is crucial for securing sensitive data stored in etcd. It verifies the presence of peer certificate and key file arguments in etcd configuration.",
"Risk": "Not configuring TLS for peer connections in etcd can lead to potential data breaches and unauthorized access.",
"RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
"ResourceType": "Pod",
"Description": "**Etcd peer communication** is treated as secure when **TLS** is configured with a peer certificate and key (e.g., `--peer-cert-file` and `--peer-key-file`). The assessment inspects etcd containers for these options to determine whether server-to-server traffic is encrypted and authenticated.",
"Risk": "Without **TLS** on peer links, attackers can intercept or alter Raft traffic, enabling node impersonation and **consensus manipulation**. This endangers **confidentiality** (exposed cluster state), **integrity** (tampered writes), and **availability** (quorum disruption), cascading into control-plane instability.",
"RelatedUrl": "",
"AdditionalURLs": [
"https://etcd.io/docs/latest/op-guide/security/",
"https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#securing-communication"
],
"Remediation": {
"Code": {
"CLI": "--peer-client-file=</path/to/peer-cert-file> --peer-key-file=</path/to/peer-key-file>",
"NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-peer-cert-file-and-peer-key-file-arguments-are-set-as-appropriate",
"Other": "",
"Terraform": ""
"CLI": "",
"NativeIaC": "",
"Other": "1. SSH to the control plane node running etcd\n2. Open /etc/kubernetes/manifests/etcd.yaml\n3. Under spec.containers[0].command add:\n - --peer-cert-file=</path/to/peer-cert-file>\n - --peer-key-file=</path/to/peer-key-file>\n4. Save the file; kubelet will restart the etcd Pod automatically\n5. Verify the etcd container command includes both flags",
"Terraform": "```hcl\nresource \"kubernetes_pod\" \"<example_resource_name>\" {\n metadata {\n name = \"<example_resource_name>\"\n }\n spec {\n container {\n name = \"etcd\"\n image = \"quay.io/coreos/etcd:latest\"\n command = [\n \"etcd\",\n \"--peer-cert-file=</path/to/peer-cert-file>\", # Critical: enables TLS for peer connections\n \"--peer-key-file=</path/to/peer-key-file>\" # Critical: key for the peer TLS cert\n ]\n }\n }\n}\n```"
},
"Recommendation": {
"Text": "Secure etcd peer connections with TLS encryption.",
"Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#securing-communication"
"Text": "Enforce **TLS** for etcd peer communication with unique certificates per member and mutual authentication. Apply strong cipher suites and modern protocol versions, rotate keys, and separate CAs for peers and clients. Limit network access to peer ports to trusted nodes, following **least privilege** and **defense in depth**.",
"Url": "https://hub.prowler.com/check/etcd_peer_tls_config"
}
},
"Categories": [
"encryption",
"internet-exposed"
"cluster-security"
],
"DependsOn": [],
"RelatedTo": [],

27
prowler/providers/kubernetes/services/etcd/etcd_tls_encryption/etcd_tls_encryption.metadata.json
View File

@@ -1,30 +1,35 @@
{
"Provider": "kubernetes",
"CheckID": "etcd_tls_encryption",
"CheckTitle": "Ensure that the --cert-file and --key-file arguments are set as appropriate for etcd",
"CheckTitle": "Etcd pod has TLS encryption configured",
"CheckType": [],
"ServiceName": "etcd",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "Etcd",
"Description": "This check verifies that the etcd service in a Kubernetes cluster is configured with appropriate TLS encryption settings. etcd, being a key value store for all Kubernetes REST API objects, should have its communication encrypted to protect these sensitive objects in transit.",
"Risk": "Without proper TLS configuration, data stored in etcd can be susceptible to interception and unauthorized access, posing a significant security risk to the entire Kubernetes cluster.",
"RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
"ResourceType": "Pod",
"Description": "**Etcd pods** are assessed for **TLS-enabled client communication**, indicated by `--cert-file` and `--key-file` in container arguments, showing that Kubernetes API state traffic is encrypted in transit.",
"Risk": "Without **TLS**, etcd traffic is exposed on the network, weakening CIA:\n- Confidentiality: leakage of **secrets** and cluster state\n- Integrity: **MITM** can alter configs, roles, and objects\n- Availability: control-plane instability from tampered responses",
"RelatedUrl": "",
"AdditionalURLs": [
"https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/",
"https://etcd.io/docs/latest/op-guide/security/"
],
"Remediation": {
"Code": {
"CLI": "--cert-file=/path/to/cert-file --key-file=/path/to/key-file",
"NativeIaC": "https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-cert-file-and-key-file-arguments-are-set-as-appropriate",
"Other": "",
"CLI": "",
"NativeIaC": "",
"Other": "1. SSH to the control-plane node\n2. Open /etc/kubernetes/manifests/etcd.yaml\n3. In spec.containers[0].command add:\n - --cert-file=/etc/kubernetes/pki/etcd/server.crt\n - --key-file=/etc/kubernetes/pki/etcd/server.key\n4. Save the file; kubelet will automatically restart the etcd Pod\n5. Confirm the etcd container command now includes both --cert-file and --key-file",
"Terraform": ""
},
"Recommendation": {
"Text": "Ensure that the etcd service is configured with TLS encryption for secure communication. The --cert-file and --key-file arguments should point to a valid TLS certificate and key.",
"Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/"
"Text": "Enforce **mTLS** for etcd client and peer traffic and disable plaintext listeners. Restrict access to etcd to control-plane components via tight network policies and firewalls. Use strong TLS versions/ciphers, rotate certificates, and safeguard keys, applying **least privilege** and **defense in depth**.",
"Url": "https://hub.prowler.com/check/etcd_tls_encryption"
}
},
"Categories": [
"encryption"
"encryption",
"cluster-security"
],
"DependsOn": [],
"RelatedTo": [],

26
prowler/providers/kubernetes/services/etcd/etcd_unique_ca/etcd_unique_ca.metadata.json
View File

@@ -1,30 +1,36 @@
{
"Provider": "kubernetes",
"CheckID": "etcd_unique_ca",
"CheckTitle": "Ensure that a unique Certificate Authority is used for etcd",
"CheckTitle": "Etcd pod uses a unique Certificate Authority distinct from the Kubernetes API server CA",
"CheckType": [],
"ServiceName": "etcd",
"SubServiceName": "",
"ResourceIdTemplate": "",
"Severity": "high",
"ResourceType": "EtcdService",
"Description": "This check ensures that etcd uses a unique Certificate Authority (CA) separate from the one used for the overall Kubernetes cluster. This practice enhances the security by restricting access to the etcd database only to clients and peers with certificates issued by the dedicated etcd CA.",
"Risk": "Using the same CA for etcd and the Kubernetes cluster can expose etcd to unauthorized access if any certificate issued by the Kubernetes CA is compromised.",
"RelatedUrl": "https://etcd.io/docs/latest/op-guide/security/",
"ResourceType": "Pod",
"Description": "**Etcd** configuration is assessed to ensure it trusts a **unique Certificate Authority** via `--trusted-ca-file`, distinct from the API server's `--client-ca-file`. If the same CA file is used, etcd shares the cluster CA; differing files imply separation, though CA content should still be verified.",
"Risk": "Using the Kubernetes CA for etcd allows any cert signed by that CA to authenticate to the datastore. Theft or mis-issuance enables unauthorized reads/writes, causing secret exposure (confidentiality), state tampering (integrity), and potential control-plane disruption (availability).",
"RelatedUrl": "",
"AdditionalURLs": [
"https://etcd.io/docs/latest/op-guide/security/",
"https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
],
"Remediation": {
"Code": {
"CLI": "--trusted-ca-file=</path/to/etcd-ca-file>",
"CLI": "",
"NativeIaC": "",
"Other": "",
"Other": "1. SSH to a control-plane node that runs etcd\n2. Open the API server manifest: sudo vi /etc/kubernetes/manifests/kube-apiserver.yaml and note the value of --client-ca-file=<APISERVER_CA_PATH>\n3. Ensure an etcd-specific CA file exists at a different path (for example: /etc/kubernetes/pki/etcd/ca.crt) and is readable by the etcd container\n4. Edit the etcd manifest: sudo vi /etc/kubernetes/manifests/etcd.yaml\n - In the etcd container command/args, add or update: --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt (this path must NOT equal <APISERVER_CA_PATH>)\n - Save the file; the kubelet will restart the etcd pod automatically\n5. Verify the change: kubectl -n kube-system get pods -o wide | grep etcd, then describe the etcd pod and confirm --trusted-ca-file points to a different path than the API server --client-ca-file",
"Terraform": ""
},
"Recommendation": {
"Text": "Ensure etcd uses a unique CA separate from the Kubernetes cluster CA.",
"Url": "https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters"
"Text": "Adopt a **separate PKI** for etcd: issue client and peer certs from an etcd-only CA and trust only that CA. Enforce mTLS (`--client-cert-auth`, `--peer-client-cert-auth`), avoid `--auto-tls`, rotate keys independently, and apply **least privilege** to CA issuance with regular certificate audits.",
"Url": "https://hub.prowler.com/check/etcd_unique_ca"
}
},
"Categories": [
"encryption"
"encryption",
"cluster-security",
"trust-boundaries"
],
"DependsOn": [],
"RelatedTo": [],