Protecting Your Cluster with ETCD Authentication and Authorization
Protecting Your Cluster with ETCD Authentication and Authorization
Understanding the Importance of Authorized Access to ETCD
The ETCD is the key-value store of the cluster. Only the API needs a connection to the ETCD.
Access to ETCD corresponds to admin authorization in the cluster. Ideally, only the API server has authenticated and authorized access. In AKS, the ETCD is managed by Azure itself, however, it is not transparent how.
The following flags should be set in the ETCD yaml :
--clint-cert-auth=true
--peer-client-cert-auth=true
--peer-key-file=<Pfad zum peerkey>/peer.key
--peer-cert-file=<Pfad zum peercert>/peer.crt
--key-file=<Pfad zum serverkey>/server.key
--cert-file=<Pfad zum servercert>/server.crt
--trusted-ca-file=<Pfad zum cacert>/ca.crt
As in the API-SERVER yaml:
--etcd-cafile=<Pfad vom --trusted-ca-file und
--peer-trusted-ca-file in der ETCD-Yaml>
--etcd-keyfile=<Pfad zum apikey>/apiserver-etcd-client.key
--etcd-certfile=<Pfad zum apicert>/apiserver-etcd-client.crt