TF 0512 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Ensure that the --client-cert-auth argument is set to true
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
Description
The etcd service is not configured with the --client-cert-auth=true argument, meaning it does not require clients to present valid certificates for authentication. This leaves the etcd API accessible to unauthenticated clients.
Impact
Without client certificate authentication, unauthorized users or processes could connect to etcd, potentially reading or modifying sensitive cluster data, leading to compromise of the Kubernetes control plane and broader cluster security.
Resolution
Edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameter.