|
2 | 2 | title: Self assessment guide - ETCD configuration |
3 | 3 | sidebar_label: Etcd |
4 | 4 | description: Self assessment guide to validate ETCD configuration |
5 | | ---- |
| 5 | +--- |
| 6 | + |
| 7 | +This section covers security areas related to etcd configuration, including: |
| 8 | +- Encryption of sensitive data at rest on server, applications and in transit. |
| 9 | + |
| 10 | +_Assessment focus for vCluster_: Key areas include verifying correct authentication mechanisms are used and safeguarding |
| 11 | +the data at rest and in transit via TLS encryption. |
| 12 | + |
| 13 | +## 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated) |
| 14 | + |
| 15 | +**Result:** PASS |
| 16 | + |
| 17 | +**Remediation:** Run the audit command mentioned below to verify that `--cert-file` and `--key-file` arguments are |
| 18 | +appropriately set. |
| 19 | + |
| 20 | +**Audit:** |
| 21 | +```kubectl exec -n <vCluster-namespace> <vCluster-pod-name> -- ps -ef | grep etcd``` |
| 22 | + |
| 23 | +**Expected Result:** |
| 24 | +``` |
| 25 | +'--cert-file' and '--key-file' arguments are appropriately set |
| 26 | +``` |
| 27 | + |
| 28 | +**Returned Value:** |
| 29 | +```bash |
| 30 | +31 root 2:41 etcd --data-dir=/data/etcd --advertise-client-urls=https://emb-0.emb-headless.emb:2379 |
| 31 | +--initial-advertise-peer-urls=https://emb-0.emb-headless.emb:2380 --initial-cluster-token=vcluster |
| 32 | +--listen-client-urls=https://0.0.0.0:2379 --listen-metrics-urls=http://0.0.0.0:2381 --listen-peer-urls=https://0.0.0.0:2380 |
| 33 | +--name=emb-0 --heartbeat-interval=500 --election-timeout=5000 --experimental-watch-progress-notify-interval=5s |
| 34 | +--experimental-peer-skip-client-san-verification --log-level=info --snapshot-count=10000 --log-outputs=stderr |
| 35 | +--logger=zap --client-cert-auth=true --cert-file=/data/pki/etcd/server.crt --key-file=/data/pki/etcd/server.key |
| 36 | +--peer-client-cert-auth=true --peer-key-file=/data/pki/etcd/peer.key --peer-cert-file=/data/pki/etcd/peer.crt |
| 37 | +--peer-trusted-ca-file=/data/pki/etcd/ca.crt --trusted-ca-file=/data/pki/etcd/ca.crt --initial-cluster=emb-0= |
| 38 | +https://emb-0.emb-headless.emb:2380 --initial-cluster-state=new --force-new-cluster |
| 39 | +``` |
| 40 | + |
| 41 | +## 2.2 Ensure that the --client-cert-auth argument is set to true (Automated) |
| 42 | + |
| 43 | +**Result:** PASS |
| 44 | + |
| 45 | +**Remediation:** Run the audit command mentioned below to verify that `--client-cert-auth` is set to `true`. |
| 46 | + |
| 47 | +**Audit:** |
| 48 | +```kubectl exec -n <vCluster-namespace> <vCluster-pod-name> -- ps -ef | grep etcd``` |
| 49 | + |
| 50 | +**Expected Result:** |
| 51 | +``` |
| 52 | +'--client-cert-auth' is set to 'true' |
| 53 | +``` |
| 54 | + |
| 55 | +**Returned Value:** |
| 56 | +```bash |
| 57 | +31 root 2:41 etcd --data-dir=/data/etcd --advertise-client-urls=https://emb-0.emb-headless.emb:2379 |
| 58 | +--initial-advertise-peer-urls=https://emb-0.emb-headless.emb:2380 --initial-cluster-token=vcluster |
| 59 | +--listen-client-urls=https://0.0.0.0:2379 --listen-metrics-urls=http://0.0.0.0:2381 --listen-peer-urls=https://0.0.0.0:2380 |
| 60 | +--name=emb-0 --heartbeat-interval=500 --election-timeout=5000 --experimental-watch-progress-notify-interval=5s |
| 61 | +--experimental-peer-skip-client-san-verification --log-level=info --snapshot-count=10000 --log-outputs=stderr |
| 62 | +--logger=zap --client-cert-auth=true --cert-file=/data/pki/etcd/server.crt --key-file=/data/pki/etcd/server.key |
| 63 | +--peer-client-cert-auth=true --peer-key-file=/data/pki/etcd/peer.key --peer-cert-file=/data/pki/etcd/peer.crt |
| 64 | +--peer-trusted-ca-file=/data/pki/etcd/ca.crt --trusted-ca-file=/data/pki/etcd/ca.crt --initial-cluster=emb-0= |
| 65 | +https://emb-0.emb-headless.emb:2380 --initial-cluster-state=new --force-new-cluster |
| 66 | +``` |
| 67 | + |
| 68 | +## 2.3 Ensure that the --auto-tls argument is not set to true (Automated) |
| 69 | + |
| 70 | +**Result:** PASS |
| 71 | + |
| 72 | +**Remediation:** Run the audit command mentioned below to verify that `--auto-tls` argument does not exist. |
| 73 | + |
| 74 | +**Audit:** |
| 75 | +```kubectl exec -n <vCluster-namespace> <vCluster-pod-name> -- ps -ef | grep etcd``` |
| 76 | + |
| 77 | +**Expected Result:** |
| 78 | +``` |
| 79 | +'--auto-tls' argument does not exist |
| 80 | +``` |
| 81 | + |
| 82 | +**Returned Value:** |
| 83 | +```bash |
| 84 | +31 root 2:41 etcd --data-dir=/data/etcd --advertise-client-urls=https://emb-0.emb-headless.emb:2379 |
| 85 | +--initial-advertise-peer-urls=https://emb-0.emb-headless.emb:2380 --initial-cluster-token=vcluster |
| 86 | +--listen-client-urls=https://0.0.0.0:2379 --listen-metrics-urls=http://0.0.0.0:2381 --listen-peer-urls=https://0.0.0.0:2380 |
| 87 | +--name=emb-0 --heartbeat-interval=500 --election-timeout=5000 --experimental-watch-progress-notify-interval=5s |
| 88 | +--experimental-peer-skip-client-san-verification --log-level=info --snapshot-count=10000 --log-outputs=stderr |
| 89 | +--logger=zap --client-cert-auth=true --cert-file=/data/pki/etcd/server.crt --key-file=/data/pki/etcd/server.key |
| 90 | +--peer-client-cert-auth=true --peer-key-file=/data/pki/etcd/peer.key --peer-cert-file=/data/pki/etcd/peer.crt |
| 91 | +--peer-trusted-ca-file=/data/pki/etcd/ca.crt --trusted-ca-file=/data/pki/etcd/ca.crt --initial-cluster=emb-0= |
| 92 | +https://emb-0.emb-headless.emb:2380 --initial-cluster-state=new --force-new-cluster |
| 93 | +``` |
| 94 | + |
| 95 | +## 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Automated) |
| 96 | + |
| 97 | +**Result:** PASS |
| 98 | + |
| 99 | +**Remediation:** Run the audit command mentioned below to verify that `--peer-cert-file` and `--peer-key-file` are |
| 100 | +appropriately set . |
| 101 | + |
| 102 | +**Audit:** |
| 103 | +```kubectl exec -n <vCluster-namespace> <vCluster-pod-name> -- ps -ef | grep etcd``` |
| 104 | + |
| 105 | +**Expected Result:** |
| 106 | +``` |
| 107 | +'--peer-cert-file' and '--peer-key-file' arguments are appropriately set |
| 108 | +``` |
| 109 | + |
| 110 | +**Returned Value:** |
| 111 | +```bash |
| 112 | +31 root 2:41 etcd --data-dir=/data/etcd --advertise-client-urls=https://emb-0.emb-headless.emb:2379 |
| 113 | +--initial-advertise-peer-urls=https://emb-0.emb-headless.emb:2380 --initial-cluster-token=vcluster |
| 114 | +--listen-client-urls=https://0.0.0.0:2379 --listen-metrics-urls=http://0.0.0.0:2381 --listen-peer-urls=https://0.0.0.0:2380 |
| 115 | +--name=emb-0 --heartbeat-interval=500 --election-timeout=5000 --experimental-watch-progress-notify-interval=5s |
| 116 | +--experimental-peer-skip-client-san-verification --log-level=info --snapshot-count=10000 --log-outputs=stderr |
| 117 | +--logger=zap --client-cert-auth=true --cert-file=/data/pki/etcd/server.crt --key-file=/data/pki/etcd/server.key |
| 118 | +--peer-client-cert-auth=true --peer-key-file=/data/pki/etcd/peer.key --peer-cert-file=/data/pki/etcd/peer.crt |
| 119 | +--peer-trusted-ca-file=/data/pki/etcd/ca.crt --trusted-ca-file=/data/pki/etcd/ca.crt --initial-cluster=emb-0= |
| 120 | +https://emb-0.emb-headless.emb:2380 --initial-cluster-state=new --force-new-cluster |
| 121 | +``` |
| 122 | + |
| 123 | +## 2.5 Ensure that the --peer-client-cert-auth argument is set to true (Automated) |
| 124 | + |
| 125 | +**Result:** PASS |
| 126 | + |
| 127 | +**Remediation:** Run the audit command mentioned below to verify that `--peer-client-cert-auth` is set to `true`. |
| 128 | + |
| 129 | +**Audit:** |
| 130 | +```kubectl exec -n <vCluster-namespace> <vCluster-pod-name> -- ps -ef | grep etcd``` |
| 131 | + |
| 132 | +**Expected Result:** |
| 133 | +``` |
| 134 | +'--peer-client-cert-auth' is set to 'true' |
| 135 | +``` |
| 136 | + |
| 137 | +**Returned Value:** |
| 138 | +```bash |
| 139 | +31 root 2:41 etcd --data-dir=/data/etcd --advertise-client-urls=https://emb-0.emb-headless.emb:2379 |
| 140 | +--initial-advertise-peer-urls=https://emb-0.emb-headless.emb:2380 --initial-cluster-token=vcluster |
| 141 | +--listen-client-urls=https://0.0.0.0:2379 --listen-metrics-urls=http://0.0.0.0:2381 --listen-peer-urls=https://0.0.0.0:2380 |
| 142 | +--name=emb-0 --heartbeat-interval=500 --election-timeout=5000 --experimental-watch-progress-notify-interval=5s |
| 143 | +--experimental-peer-skip-client-san-verification --log-level=info --snapshot-count=10000 --log-outputs=stderr |
| 144 | +--logger=zap --client-cert-auth=true --cert-file=/data/pki/etcd/server.crt --key-file=/data/pki/etcd/server.key |
| 145 | +--peer-client-cert-auth=true --peer-key-file=/data/pki/etcd/peer.key --peer-cert-file=/data/pki/etcd/peer.crt |
| 146 | +--peer-trusted-ca-file=/data/pki/etcd/ca.crt --trusted-ca-file=/data/pki/etcd/ca.crt --initial-cluster=emb-0= |
| 147 | +https://emb-0.emb-headless.emb:2380 --initial-cluster-state=new --force-new-cluster |
| 148 | +``` |
| 149 | + |
| 150 | +## 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated) |
| 151 | + |
| 152 | +**Result:** PASS |
| 153 | + |
| 154 | +**Remediation:** Run the audit command mentioned below to verify that `--peer-auto-tls` argument does not exist. |
| 155 | + |
| 156 | +**Audit:** |
| 157 | +```kubectl exec -n <vCluster-namespace> <vCluster-pod-name> -- ps -ef | grep etcd``` |
| 158 | + |
| 159 | +**Expected Result:** |
| 160 | +``` |
| 161 | +'--peer-auto-tls' argument does not exist |
| 162 | +``` |
| 163 | + |
| 164 | +**Returned Value:** |
| 165 | +```bash |
| 166 | +31 root 2:41 etcd --data-dir=/data/etcd --advertise-client-urls=https://emb-0.emb-headless.emb:2379 |
| 167 | +--initial-advertise-peer-urls=https://emb-0.emb-headless.emb:2380 --initial-cluster-token=vcluster |
| 168 | +--listen-client-urls=https://0.0.0.0:2379 --listen-metrics-urls=http://0.0.0.0:2381 --listen-peer-urls=https://0.0.0.0:2380 |
| 169 | +--name=emb-0 --heartbeat-interval=500 --election-timeout=5000 --experimental-watch-progress-notify-interval=5s |
| 170 | +--experimental-peer-skip-client-san-verification --log-level=info --snapshot-count=10000 --log-outputs=stderr |
| 171 | +--logger=zap --client-cert-auth=true --cert-file=/data/pki/etcd/server.crt --key-file=/data/pki/etcd/server.key |
| 172 | +--peer-client-cert-auth=true --peer-key-file=/data/pki/etcd/peer.key --peer-cert-file=/data/pki/etcd/peer.crt |
| 173 | +--peer-trusted-ca-file=/data/pki/etcd/ca.crt --trusted-ca-file=/data/pki/etcd/ca.crt --initial-cluster=emb-0= |
| 174 | +https://emb-0.emb-headless.emb:2380 --initial-cluster-state=new --force-new-cluster |
| 175 | +``` |
| 176 | + |
| 177 | +## 2.7 Ensure that a unique Certificate Authority is used for etcd (Manual) |
| 178 | + |
| 179 | +**Result:** PASS |
| 180 | + |
| 181 | +**Remediation:** Run the audit command mentioned below to verify that the file referenced by the --client-ca-file |
| 182 | +for api-server is different from the --trusted-ca-file used by etcd. |
| 183 | + |
| 184 | +**Audit:** |
| 185 | +Run the following command and note the file referenced by '--trusted-ca-file' |
| 186 | +```kubectl exec -n <vCluster-namespace> <vCluster-pod-name> -- ps -ef | grep etcd``` |
| 187 | + |
| 188 | +**Returned Value:** |
| 189 | +```bash |
| 190 | +31 root 2:41 etcd --data-dir=/data/etcd --advertise-client-urls=https://emb-0.emb-headless.emb:2379 |
| 191 | +--initial-advertise-peer-urls=https://emb-0.emb-headless.emb:2380 --initial-cluster-token=vcluster |
| 192 | +--listen-client-urls=https://0.0.0.0:2379 --listen-metrics-urls=http://0.0.0.0:2381 --listen-peer-urls=https://0.0.0.0:2380 |
| 193 | +--name=emb-0 --heartbeat-interval=500 --election-timeout=5000 --experimental-watch-progress-notify-interval=5s |
| 194 | +--experimental-peer-skip-client-san-verification --log-level=info --snapshot-count=10000 --log-outputs=stderr |
| 195 | +--logger=zap --client-cert-auth=true --cert-file=/data/pki/etcd/server.crt --key-file=/data/pki/etcd/server.key |
| 196 | +--peer-client-cert-auth=true --peer-key-file=/data/pki/etcd/peer.key --peer-cert-file=/data/pki/etcd/peer.crt |
| 197 | +--peer-trusted-ca-file=/data/pki/etcd/ca.crt --trusted-ca-file=/data/pki/etcd/ca.crt --initial-cluster=emb-0= |
| 198 | +https://emb-0.emb-headless.emb:2380 --initial-cluster-state=new --force-new-cluster |
| 199 | +``` |
| 200 | + |
| 201 | +Now run the following command and note the file referenced by '--client-ca-file' |
| 202 | +```kubectl exec -n <vCluster-namespace> <vCluster-pod-name> -- ps -ef | grep apiserver``` |
| 203 | + |
| 204 | +**Returned Value:** |
| 205 | +```bash |
| 206 | +47 root 6:43 /binaries/kube-apiserver --advertise-address=127.0.0.1 --service-cluster-ip-range=10.96.0.0/16 |
| 207 | +--bind-address=127.0.0.1 --allow-privileged=true --authorization-mode=RBAC --client-ca-file=/data/pki/client-ca.crt |
| 208 | +--enable-bootstrap-token-auth=true --etcd-servers=https://127.0.0.1:2379 --etcd-cafile=/data/pki/etcd/ca.crt |
| 209 | +--etcd-certfile=/data/pki/apiserver-etcd-client.crt --etcd-keyfile=/data/pki/apiserver-etcd-client.key |
| 210 | +--proxy-client-cert-file=/data/pki/front-proxy-client.crt --proxy-client-key-file=/data/pki/front-proxy-client.key |
| 211 | +--requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/data/pki/front-proxy-ca.crt |
| 212 | +--requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group |
| 213 | +--requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer= |
| 214 | +https://kubernetes.default.svc.cluster.local --service-account-key-file=/data/pki/sa.pub |
| 215 | +--service-account-signing-key-file=/data/pki/sa.key --tls-cert-file=/data/pki/apiserver.crt --tls-private-key-file= |
| 216 | +/data/pki/apiserver.key --endpoint-reconciler-type=none --profiling=false |
| 217 | +``` |
| 218 | + |
| 219 | +**Expected Result:** |
| 220 | +``` |
| 221 | +The file referenced by the --client-ca-file for api-server is different from the --trusted-ca-file |
| 222 | +``` |
| 223 | + |
| 224 | + |
0 commit comments