Skip to main content

Securing etcd in Kubernetes

etcd is the backbone of a Kubernetes cluster, storing all cluster configuration data, including secrets, RBAC policies, and workload definitions. If etcd is left unsecured, attackers can extract sensitive data or modify cluster settings to gain full control over Kubernetes.

1. Enable TLS Encryption for etcd Communication

Issue: Unencrypted etcd traffic exposes sensitive data.
Fix: Use TLS certificates to encrypt client-server communication.

Secure etcd with TLS

etcd --cert-file=/etc/kubernetes/pki/etcd/server.crt \
     --key-file=/etc/kubernetes/pki/etcd/server.key \
     --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt

Why It Matters

  • Prevents attackers from intercepting sensitive etcd data.
  • Ensures all etcd traffic is encrypted and authenticated.

2. Restrict Access to etcd

Issue: If etcd is publicly accessible, attackers can retrieve cluster data.
Fix: Restrict etcd access to control plane nodes only.

Configure etcd to Listen Only on Secure Interfaces

etcd --listen-client-urls=https://127.0.0.1:2379

Why It Matters

  • Blocks remote access to etcd from unauthorized users.
  • Limits exposure to internal Kubernetes components only.

3. Enforce Authentication and Role-Based Access Control (RBAC)

Issue: Default etcd configurations may allow unauthenticated access.
Fix: Enable client authentication and restrict permissions.

Secure etcd with Authentication

etcd --auth-token=simple

Restrict who can query etcd with RBAC:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: etcd-reader
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list"]

Why It Matters

  • Prevents unauthorized users from accessing etcd.
  • Ensures that only authenticated Kubernetes components can query etcd.

4. Secure etcd Backups

Issue: Backups of etcd may contain plaintext secrets.
Fix: Encrypt and store etcd backups securely.

Backup etcd with Encryption

ETCDCTL_API=3 etcdctl snapshot save /backups/etcd-snapshot.db
openssl enc -aes-256-cbc -salt -in /backups/etcd-snapshot.db -out /backups/etcd-snapshot.enc

Why It Matters

  • Prevents stolen backups from exposing cluster secrets.
  • Ensures sensitive data remains encrypted at rest.

5. Isolate etcd from Untrusted Networks

Issue: If etcd is exposed externally, it becomes a high-value target.
Fix: Use firewall rules to block external access.

Block External etcd Access with iptables

iptables -A INPUT -p tcp --dport 2379 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 2379 -j DROP

Why It Matters

  • Prevents attackers from directly accessing etcd.
  • Limits network access to trusted control plane nodes.

Conclusion

Securing etcd is essential for protecting cluster secrets, RBAC policies, and workload configurations. By enabling TLS, restricting access, enforcing authentication, securing backups, and isolating etcd from external networks, you can prevent unauthorized access and maintain Kubernetes integrity.

Last updated on by Itai Ganot