Ensure that the --cert-file and --key-file arguments are set as appropriate (etcd) (Openshift)

Configure TLS encryption for the etcd service.

Risk Level: High
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.CRY.34
Covered by Spectral: No
Category: Compute

GSL LOGIC

KubernetesPod where labels contain [value='etcd'] and namespace = 'openshift-etcd' should have spec.containers with [(parsedArgs contain [key like 'cert-file' ]) and (parsedArgs contain [key like 'key-file' ])]

REMEDIATION

OpenShift does not use the etcd-certfile or etcd-keyfile flags. Certificates
for etcd are managed by the etcd cluster operator.

References

  1. https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates
  2. https://github.com/openshift/cluster-etcd-operator
  3. https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167
  4. https://etcd.io/
  5. https://kubernetes.io/docs/tasks/administer-cluster/configure-upgrade-etcd/

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0