TF 0432 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The Kubernetes API server is not configured with the --etcd-certfile and --etcd-keyfile arguments, meaning it communicates with etcd without TLS encryption. This leaves the connection between the API server and etcd unprotected and susceptible to interception.
Impact
Without TLS, sensitive data transmitted between the API server and etcd can be intercepted or tampered with by an attacker on the network, potentially leading to unauthorized access to cluster secrets, data leakage, or modification of critical cluster state.
Resolution
Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the etcd certificate and key file parameters.