Prowler HUB

Ensure that the --client-cert-auth argument is set to true for etcd

etcd_client_cert_auth

Severityhigh

Serviceetcd

This check ensures that client authentication is enabled for the etcd service, which is a key-value store used by Kubernetes for persistent storage of all REST API objects. Enabling client authentication helps in securing access to etcd.

Risk

If --client-cert-auth is not set to true, etcd service may be accessible by unauthenticated clients, posing a significant security risk.

Run this check with Prowler CLI

prowler kubernetes --checks etcd_client_cert_auth

Run in Prowler Cloud

Remediation

CLI

--client-cert-auth=true

Native IAC

https://docs.prowler.com/checks/kubernetes/kubernetes-policy-index/ensure-that-the-client-cert-auth-argument-is-set-to-true

WUI

Enable client certificate authentication for the etcd service for improved security.

References:

https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/#limiting-access-of-etcd-clusters

Source Code

References

https://etcd.io/docs/latest/op-guide/security/

Resource Type

EtcdService

Check MetadataEdit

Check CodeEdit