Etcd Peer TLS Certificate Files Not Properly Set

  • Query id: 09bb9e96-8da3-4736-b89a-b36814acca60
  • Query name: Etcd Peer TLS Certificate Files Not Properly Set
  • Platform: Kubernetes
  • Severity: High
  • Category: Networking and Firewall
  • URL: Github

Description

When using etcd commands, the '--peer-cert-file' and '--peer-key-file' should be defined
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-etcd-deployment
spec:
  selector:
    matchLabels:
      app: app
  replicas: 1
  template:
    metadata:
      labels:
        app: app
        version: v1
    spec:
      serviceAccountName: database
      containers:
      - name: database
        image: gcr.io/google_containers/etcd:v3.2.18
        imagePullPolicy: IfNotPresent
        command: ["etcd"]
        args: ["--peer-cert-file=/etc/env/file.crt"]
      nodeSelector:
        kubernetes.io/hostname: worker02  
    restartPolicy: OnFailure
Positive test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-etcd-deployment
spec:
  selector:
    matchLabels:
      app: app
  replicas: 1
  template:
    metadata:
      labels:
        app: app
        version: v1
    spec:
      serviceAccountName: database
      containers:
      - name: database
        image: gcr.io/google_containers/etcd:v3.2.18
        imagePullPolicy: IfNotPresent
        command: ["etcd"]
        args: ["--peer-key-file=/etc/env/file2.key"]
      nodeSelector:
        kubernetes.io/hostname: worker02  
    restartPolicy: OnFailure

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-etcd-deployment
spec:
  selector:
    matchLabels:
      app: app
  replicas: 1
  template:
    metadata:
      labels:
        app: app
        version: v1
    spec:
      serviceAccountName: database
      containers:
      - name: database
        image: gcr.io/google_containers/etcd:v3.2.18
        imagePullPolicy: IfNotPresent
        command: ["etcd"]
        args: ["--peer-cert-file=/etc/env/file.crt", "--peer-key-file=/etc/env/file2.key"]
      nodeSelector:
        kubernetes.io/hostname: worker02  
    restartPolicy: OnFailure
Negative test num. 2 - yaml file
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-etcd-deployment
spec:
  selector:
    matchLabels:
      app: app
  replicas: 1
  template:
    metadata:
      labels:
        app: app
        version: v1
    spec:
      serviceAccountName: database
      containers:
      - name: database
        image: gcr.io/google_containers/etcd:v3.2.18
        imagePullPolicy: IfNotPresent
        command: ["etcd", "--peer-cert-file=/etc/env/file.crt", "--peer-key-file=/etc/env/file2.key"]
        args: []
      nodeSelector:
        kubernetes.io/hostname: worker02  
    restartPolicy: OnFailure