etcd is the distributed key-value store that holds all Kubernetes cluster state. If an attacker gains access to etcd, they own your entire cluster.
Why etcd Security Matters
etcd contains:
- All Kubernetes secrets (often unencrypted)
- Service account tokens
- ConfigMaps
- Cluster configuration
- RBAC policies
Securing etcd Communication
Enable TLS
All etcd communication should be encrypted:
YAML
# etcd configuration
--cert-file=/etc/kubernetes/pki/etcd/server.crt
--key-file=/etc/kubernetes/pki/etcd/server.key
--trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
--client-cert-auth=true
--peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
--peer-key-file=/etc/kubernetes/pki/etcd/peer.key
--peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
--peer-client-cert-auth=trueAPI Server Configuration
YAML
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
--etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
--etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.keyNetwork Isolation
etcd should only be accessible from:
- API servers
- Other etcd nodes (for clustering)
Use firewall rules or network policies to restrict access.
Encryption at Rest
Enable encryption for sensitive data:
YAML
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
- configmaps
providers:
- aescbc:
keys:
- name: key1
secret: <32-byte-base64-key>
- identity: {}Backup and Recovery
Regular backups are essential:
BASH
ETCDCTL_API=3 etcdctl snapshot save backup.db \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/kubernetes/pki/etcd/ca.crt \
--cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
--key=/etc/kubernetes/pki/etcd/healthcheck-client.keyStore backups securely and encrypted.
Monitoring
Monitor etcd for:
- Unauthorized access attempts
- Performance degradation
- Cluster health
A secure etcd is fundamental to a secure Kubernetes cluster.