Ensure that a unique Certificate Authority is used for etcd (etcd) (Openshift)
Use a different certificate authority for etcd from the one used for Kubernetes.
Risk Level: Informational
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.CRY.40
Covered by Spectral: No
Category: Compute
GSL LOGIC
KubernetesPod where labels contain [value='etcd'] and namespace = 'openshift-etcd' should have spec.containers with [parsedArgs contain [key like 'trusted-ca-file' and value like '/etc/kubernetes/static-pod-certs/configmaps/etcd-serving-ca/ca-bundle.crt%'] and parsedArgs contain [key like 'peer-trusted-ca-file' and value like '/etc/kubernetes/static-pod-certs/configmaps/etcd-peer-client-ca/ca-bundle.crt%']]
REMEDIATION
None required. Certificates for etcd are managed by the OpenShift cluster
etcd operator.
References
- https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates
- https://github.com/openshift/cluster-etcd-operator
- https://github.com/openshift/cluster-etcd-operator/blob/release-4.5/bindata/etcd/pod.yaml#L154-L167
- https://github.com/openshift/cluster-etcd-operator/blob/master/bindata/etcd/pod.yaml#L154-L167
- https://etcd.io/
Pods
Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.
Compliance Frameworks
- CIS OpenShift Container Platform v4 Benchmark v1.1.0
- CIS OpenShift Container Platform v4 Benchmark v1.4.0
Updated over 1 year ago