-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathdata.yaml
44 lines (40 loc) · 1.41 KB
/
data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
metadata:
id: 067385c5-d3a0-536a-bd4f-ed7c1f4033ce
name: Ensure that the --cert-file and --key-file arguments are set as appropriate
profile_applicability: '* Level 1 - Master Node'
description: Configure TLS encryption for the etcd service.
rationale: |-
etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects.
These objects are sensitive in nature and should be encrypted in transit.
audit: |-
Run the following command on the etcd server node
```
ps -ef | grep etcd
```
Verify that the `--cert-file` and the `--key-file` arguments are set as appropriate.
remediation: |-
Follow the etcd service documentation and configure TLS encryption.
Then, edit the etcd pod specification file `/etc/kubernetes/manifests/etcd.yaml` on the master node and set the below parameters.
```
--cert-file=</path/to/ca-file>
--key-file=</path/to/key-file>
```
impact: Client connections only over TLS would be served.
default_value: |
By default, TLS encryption is not set.
references: |-
1. https://coreos.com/etcd/docs/latest/op-guide/security.html
2. https://kubernetes.io/docs/admin/etcd/
section: etcd
version: '1.0'
tags:
- CIS
- Kubernetes
- CIS 2.1
- etcd
benchmark:
name: CIS Kubernetes V1.23
version: v1.0.1
id: cis_k8s
rule_number: '2.1'
posture_type: kspm