--- controls: version: "tkgi-1.2.53" id: 2 text: "Etcd Node Configuration" type: "etcd" groups: - id: 2 text: "Etcd Node Configuration Files" checks: - id: 2.1 text: "Ensure that the --cert-file and --key-file arguments are set as appropriate" audit: ps -ef | grep etcd | grep -- "--cert-file=/var/vcap/jobs/etcd/config/etcd.crt" | grep -- "--key-file=/var/vcap/jobs/etcd/config/etcd.key" type: manual tests: bin_op: and test_items: - flag: "--cert-file" - flag: "--key-file" remediation: | Follow the etcd service documentation and configure TLS encryption. Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml on the master node and set the below parameters. --cert-file= --key-file= scored: false - id: 2.2 text: "Ensure that the --client-cert-auth argument is set to true" audit: ps -ef | grep etcd | grep -- "--client\-cert\-auth" tests: test_items: - flag: "--client-cert-auth" compare: op: eq value: true remediation: | Edit the etcd pod specification file etcd config on the master node and set the below parameter. --client-cert-auth="true" scored: true - id: 2.3 text: "Ensure that the --auto-tls argument is not set to true" audit: ps -ef | grep etcd | grep -v -- "--auto-tls" tests: test_items: - flag: "--auto-tls" compare: op: eq value: true set: false remediation: | Edit the etcd pod specification file etcd config on the master node and either remove the --auto-tls parameter or set it to false. --auto-tls=false scored: true - id: 2.4 text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate" audit: ps -ef | grep etcd | grep -- "--peer-cert-file=/var/vcap/jobs/etcd/config/peer.crt" | grep -- "--peer-key-file=/var/vcap/jobs/etcd/config/peer.key" type: manual tests: bin_op: and test_items: - flag: "--peer-cert-file" - flag: "--peer-key-file" remediation: | Follow the etcd service documentation and configure peer TLS encryption as appropriate for your etcd cluster. Then, edit the etcd pod specification file etcd config on the master node and set the below parameters. --peer-client-file= --peer-key-file= scored: false - id: 2.5 text: "Ensure that the --peer-client-cert-auth argument is set to true" audit: ps -ef | grep etcd | grep -- "--peer\-client\-cert\-auth" tests: test_items: - flag: "--peer-client-cert-auth" compare: op: eq value: true remediation: | Edit the etcd pod specification file etcd config on the master node and set the below parameter. --peer-client-cert-auth=true scored: true - id: 2.6 text: "Ensure that the --peer-auto-tls argument is not set to true" audit: ps -ef | grep etcd | grep -v -- "--peer-auto-tls" tests: test_items: - flag: "--peer-auto-tls" compare: op: eq value: true set: false remediation: | Edit the etcd pod specification file etcd config on the master node and either remove the --peer-auto-tls parameter or set it to false. --peer-auto-tls=false scored: true - id: 2.7 text: "Ensure that a unique Certificate Authority is used for etcd" audit: diff /var/vcap/jobs/kube-apiserver/config/kubernetes-ca.pem /var/vcap/jobs/etcd/config/etcd-ca.crt | grep -c"^>" | grep -v "^0$" type: manual tests: test_items: - flag: "--trusted-ca-file" remediation: | Follow the etcd documentation and create a dedicated certificate authority setup for the etcd service. Then, edit the etcd pod specification file etcd config on the master node and set the below parameter. --trusted-ca-file= scored: false