iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Ensure that the --etcd-certfile and --etcd-keyfile arguments are correctly configured in the Kubernetes API server. The --etcd-certfile specifies the path to the TLS certificate for securing the connection between the API server and etcd, while the --etcd-keyfile specifies the corresponding private key. These arguments are essential for enabling encrypted communication between the API server and etcd.

Rationale:

Setting the --etcd-certfile and --etcd-keyfile arguments ensures that communication between the Kubernetes API server and etcd is secured using TLS, preventing unauthorized access or eavesdropping. This is crucial for protecting the integrity and confidentiality of data stored in etcd, which holds critical information for the Kubernetes cluster.

Impact:

Pros:

• Ensures secure, encrypted communication between the Kubernetes API server and etcd.
  

• Helps prevent unauthorized access or tampering with etcd data.
  

Cons:

• Misconfiguration could result in the API server being unable to communicate with etcd, causing issues with cluster functionality.
  

• Requires proper management and secure storage of certificates and private keys.
  

Default Value:

By default, the --etcd-certfile and --etcd-keyfile arguments may not be set. These settings must be configured with the correct certificate and key for secure communication with etcd.

Pre-Requisites:

• Access to the Kubernetes API server configuration.
  

• A valid TLS certificate and private key for etcd communication.
  

• Sufficient privileges (root or administrator access) to modify the API server flags.
  

• A Kubernetes environment with secure communication to etcd.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the Amazon Elastic Kubernetes Service (EKS) console.
   

3. Navigate to the "Clusters" section and locate your cluster.
   

4. Review the settings for the --etcd-certfile and --etcd-keyfile arguments in the API server configuration.
   

5. Ensure that the --etcd-certfile and --etcd-keyfile arguments are set to the correct certificate and key file paths.
   

Using AWS CLI:

Retrieve the configuration for the Kubernetes API server:

kubectl get deployment -n kube-system kube-apiserver -o yaml

Check for the presence of the --etcd-certfile and --etcd-keyfile arguments in the API server arguments section:

- --etcd-certfile=/etc/kubernetes/pki/etcd/server.crt
- --etcd-keyfile=/etc/kubernetes/pki/etcd/server.key

2. Ensure that the --etcd-certfile and --etcd-keyfile arguments are set to the appropriate file paths. If they are not, update the configuration to point to the correct certificate and key files.
   

Implementation Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Review the cluster's configuration for the --etcd-certfile and --etcd-keyfile arguments.
   

4. If the arguments are missing or misconfigured, update the API server configuration to set the correct paths for the certificate and key:

    --etcd-certfile=/etc/kubernetes/pki/etcd/server.crt
    --etcd-keyfile=/etc/kubernetes/pki/etcd/server.key

   Save and apply the changes to the Kubernetes API server configuration.

Using AWS CLI:

Modify the API server deployment by adding or updating the --etcd-certfile and --etcd-keyfile arguments:

kubectl edit deployment -n kube-system kube-apiserver

1. In the deployment YAML, locate the command section under the spec for the kube-apiserver container.
   

Add or update the following lines to specify the correct certificate and key file paths:

- --etcd-certfile=/etc/kubernetes/pki/etcd/server.crt
- --etcd-keyfile=/etc/kubernetes/pki/etcd/server.key

3. Save and exit the editor to apply the changes.
   

Backout Plan:

Using AWS Console:

1. Sign in to the AWS Console.
   

2. Open the EKS service and navigate to your cluster.
   

3. Locate the API server configuration.
   

4. If necessary, revert the change by setting the --etcd-certfile and --etcd-keyfile arguments back to their previous values or restoring the default configuration.
   

5. Save and apply the changes to the Kubernetes API server configuration.
   

Using AWS CLI:

To revert the change, edit the API server deployment to set the --etcd-certfile and --etcd-keyfile arguments back to their previous values:

kubectl edit deployment -n kube-system kube-apiserver

1. Update the deployment YAML to include the previous values for the --etcd-certfile and --etcd-keyfile arguments.
   

2. Save and exit the editor to apply the changes.
   

References:

• Kubernetes API Server Configuration
  

• AWS EKS Documentation