github.com/khulnasoft-lab/kube-bench@v0.2.1-0.20240330183753-9df52345ae58/cfg/tkgi-1.2.53/etcd.yaml (about) 1 --- 2 controls: 3 version: "tkgi-1.2.53" 4 id: 2 5 text: "Etcd Node Configuration" 6 type: "etcd" 7 groups: 8 - id: 2 9 text: "Etcd Node Configuration Files" 10 checks: 11 - id: 2.1 12 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate" 13 audit: ps -ef | grep etcd | grep -- "--cert-file=/var/vcap/jobs/etcd/config/etcd.crt" | grep -- "--key-file=/var/vcap/jobs/etcd/config/etcd.key" 14 type: manual 15 tests: 16 bin_op: and 17 test_items: 18 - flag: "--cert-file" 19 - flag: "--key-file" 20 remediation: | 21 Follow the etcd service documentation and configure TLS encryption. 22 Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml 23 on the master node and set the below parameters. 24 --cert-file=</path/to/ca-file> 25 --key-file=</path/to/key-file> 26 scored: false 27 28 - id: 2.2 29 text: "Ensure that the --client-cert-auth argument is set to true" 30 audit: ps -ef | grep etcd | grep -- "--client\-cert\-auth" 31 tests: 32 test_items: 33 - flag: "--client-cert-auth" 34 compare: 35 op: eq 36 value: true 37 remediation: | 38 Edit the etcd pod specification file etcd config on the master 39 node and set the below parameter. 40 --client-cert-auth="true" 41 scored: true 42 43 - id: 2.3 44 text: "Ensure that the --auto-tls argument is not set to true" 45 audit: ps -ef | grep etcd | grep -v -- "--auto-tls" 46 tests: 47 test_items: 48 - flag: "--auto-tls" 49 compare: 50 op: eq 51 value: true 52 set: false 53 remediation: | 54 Edit the etcd pod specification file etcd config on the master 55 node and either remove the --auto-tls parameter or set it to false. 56 --auto-tls=false 57 scored: true 58 59 - id: 2.4 60 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate" 61 audit: ps -ef | grep etcd | grep -- "--peer-cert-file=/var/vcap/jobs/etcd/config/peer.crt" | grep -- "--peer-key-file=/var/vcap/jobs/etcd/config/peer.key" 62 type: manual 63 tests: 64 bin_op: and 65 test_items: 66 - flag: "--peer-cert-file" 67 - flag: "--peer-key-file" 68 remediation: | 69 Follow the etcd service documentation and configure peer TLS encryption as appropriate 70 for your etcd cluster. 71 Then, edit the etcd pod specification file etcd config on the 72 master node and set the below parameters. 73 --peer-client-file=</path/to/peer-cert-file> 74 --peer-key-file=</path/to/peer-key-file> 75 scored: false 76 77 - id: 2.5 78 text: "Ensure that the --peer-client-cert-auth argument is set to true" 79 audit: ps -ef | grep etcd | grep -- "--peer\-client\-cert\-auth" 80 tests: 81 test_items: 82 - flag: "--peer-client-cert-auth" 83 compare: 84 op: eq 85 value: true 86 remediation: | 87 Edit the etcd pod specification file etcd config on the master 88 node and set the below parameter. 89 --peer-client-cert-auth=true 90 scored: true 91 92 - id: 2.6 93 text: "Ensure that the --peer-auto-tls argument is not set to true" 94 audit: ps -ef | grep etcd | grep -v -- "--peer-auto-tls" 95 tests: 96 test_items: 97 - flag: "--peer-auto-tls" 98 compare: 99 op: eq 100 value: true 101 set: false 102 remediation: | 103 Edit the etcd pod specification file etcd config on the master 104 node and either remove the --peer-auto-tls parameter or set it to false. 105 --peer-auto-tls=false 106 scored: true 107 108 - id: 2.7 109 text: "Ensure that a unique Certificate Authority is used for etcd" 110 audit: diff /var/vcap/jobs/kube-apiserver/config/kubernetes-ca.pem /var/vcap/jobs/etcd/config/etcd-ca.crt | grep -c"^>" | grep -v "^0$" 111 type: manual 112 tests: 113 test_items: 114 - flag: "--trusted-ca-file" 115 remediation: | 116 Follow the etcd documentation and create a dedicated certificate authority setup for the 117 etcd service. 118 Then, edit the etcd pod specification file etcd config on the 119 master node and set the below parameter. 120 --trusted-ca-file=</path/to/ca-file> 121 scored: false