Risks

Protecting Your Cluster with ETCD Authentication and Authorization

Understanding the Importance of Authorized Access to ETCD

The ETCD is the key-value store of the cluster. Only the API needs a connection to the ETCD.

Access to ETCD corresponds to admin authorization in the cluster. Ideally, only the API server has authenticated and authorized access. In AKS, the ETCD is managed by Azure itself, however, it is not transparent how.

The following flags should be set in the ETCD yaml :

  • --clint-cert-auth=true
  • --peer-client-cert-auth=true
  • --peer-key-file=<Pfad zum peerkey>/peer.key
  • --peer-cert-file=<Pfad zum peercert>/peer.crt
  • --key-file=<Pfad zum serverkey>/server.key
  • --cert-file=<Pfad zum servercert>/server.crt
  • --trusted-ca-file=<Pfad zum cacert>/ca.crt

As in the API-SERVER yaml:

  • --etcd-cafile=<Pfad vom --trusted-ca-file und
  • --peer-trusted-ca-file in der ETCD-Yaml>
  • --etcd-keyfile=<Pfad zum apikey>/apiserver-etcd-client.key
  • --etcd-certfile=<Pfad zum apicert>/apiserver-etcd-client.crt

follow these measures

Any Questions?

Please feel free to contact us for any question that is not answered yet. 

We are looking forward to get in contact with you!

Design Escapes

KubeOps GmbH
Hinter Stöck 17
72406 Bisingen
Germany

  • Telefon:

    +49 7433 93724 90

  • Mail:

    This email address is being protected from spambots. You need JavaScript enabled to view it.

Legal
Download Area
Certified as

KubeOps GmbH is the owner of the Union trademark KubeOps with the registration number 018305184. 

© KubeOps GmbH. All rights reserved. Subsidiary of