TF 0255 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --peer-auto-tls argument is not set to true
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The etcd pod is configured with the --peer-auto-tls option set to true, which causes it to automatically generate and trust self-signed TLS certificates for peer communication. This weakens the security of encrypted connections between etcd nodes by relying on untrusted, automatically created certificates.
Impact
If exploited, attackers could intercept or impersonate etcd peers due to the lack of proper certificate validation, potentially leading to unauthorized access, data tampering, or disruption of the Kubernetes cluster's control plane.
Resolution
Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and either remove the --peer-auto-tls parameter or set it to false.