Etcd Peer TLS Certificate Files Not Properly Set
- Query id: 09bb9e96-8da3-4736-b89a-b36814acca60
- Query name: Etcd Peer TLS Certificate Files Not Properly Set
- Platform: Kubernetes
- Severity: High
- Category: Networking and Firewall
- URL: Github
Description¶
When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-etcd-deployment
spec:
selector:
matchLabels:
app: app
replicas: 1
template:
metadata:
labels:
app: app
version: v1
spec:
serviceAccountName: database
containers:
- name: database
image: gcr.io/google_containers/etcd:v3.2.18
imagePullPolicy: IfNotPresent
command: ["etcd"]
args: ["--peer-cert-file=/etc/env/file.crt"]
nodeSelector:
kubernetes.io/hostname: worker02
restartPolicy: OnFailure
Positive test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-etcd-deployment
spec:
selector:
matchLabels:
app: app
replicas: 1
template:
metadata:
labels:
app: app
version: v1
spec:
serviceAccountName: database
containers:
- name: database
image: gcr.io/google_containers/etcd:v3.2.18
imagePullPolicy: IfNotPresent
command: ["etcd"]
args: ["--peer-key-file=/etc/env/file2.key"]
nodeSelector:
kubernetes.io/hostname: worker02
restartPolicy: OnFailure
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-etcd-deployment
spec:
selector:
matchLabels:
app: app
replicas: 1
template:
metadata:
labels:
app: app
version: v1
spec:
serviceAccountName: database
containers:
- name: database
image: gcr.io/google_containers/etcd:v3.2.18
imagePullPolicy: IfNotPresent
command: ["etcd"]
args: ["--peer-cert-file=/etc/env/file.crt", "--peer-key-file=/etc/env/file2.key"]
nodeSelector:
kubernetes.io/hostname: worker02
restartPolicy: OnFailure
Negative test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
name: app-etcd-deployment
spec:
selector:
matchLabels:
app: app
replicas: 1
template:
metadata:
labels:
app: app
version: v1
spec:
serviceAccountName: database
containers:
- name: database
image: gcr.io/google_containers/etcd:v3.2.18
imagePullPolicy: IfNotPresent
command: ["etcd", "--peer-cert-file=/etc/env/file.crt", "--peer-key-file=/etc/env/file2.key"]
args: []
nodeSelector:
kubernetes.io/hostname: worker02
restartPolicy: OnFailure