TF 0147 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --etcd-cafile argument is set as appropriate
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The Kubernetes API server is not configured with the --etcd-cafile argument, meaning it may connect to etcd without verifying the server's TLS certificate authority. This weakens the security of communication between the API server and etcd.
Impact
Without certificate authority verification, attackers could perform man-in-the-middle attacks, intercepting or tampering with sensitive data between the API server and etcd. This can lead to unauthorized access, data breaches, or compromise of the Kubernetes control plane.
Resolution
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd certificate authority file parameter.