iCompaas Support

Profile Applicability:

• Level 1
  
  

Description:

The --peer-auto-tls argument controls whether automatic TLS encryption is enabled for peer-to-peer communication between nodes in the Kubernetes cluster. If set to true, this argument automatically enables TLS encryption for all peer connections without requiring manual configuration. Disabling this feature (setting it to false) is a security best practice to ensure that encryption configurations are explicitly defined, giving more control over the security setup.

Rationale:

While automatic TLS encryption might be convenient, it can introduce security risks, as it does not allow administrators to review or control the TLS settings. Disabling --peer-auto-tls ensures that TLS configurations are handled manually, enabling more granular control over peer-to-peer communication encryption, and aligning with best security practices.

Impact:

Pros:

• Gives administrators explicit control over TLS configurations, ensuring that encryption is correctly configured.
  

• Helps enforce stronger security standards, reducing the likelihood of misconfigurations.
  

Cons:

• Requires more manual configuration and management of TLS settings between nodes.
  

Default Value:

By default, --peer-auto-tls is typically not set to true in most Kubernetes deployments.

Pre-requisites:

• The cluster's TLS settings should be reviewed and configured properly if --peer-auto-tls is disabled.
  

• Administrators must manually configure secure peer-to-peer communication.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the API server configuration and verify that the --peer-auto-tls argument is not set to true.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's configuration:

aws eks describe-cluster --name <cluster-name> --query "cluster.config"

1. Ensure that --peer-auto-tls is not set to true in the output.
   

Implementation Plan:

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Under the Cluster Configuration section, modify the API server's settings.
   

3. Ensure that the --peer-auto-tls argument is not set to true.
   

4. Save the configuration and apply the changes.
   

Using AWS CLI:

Update the --peer-auto-tls argument to false:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --peer-auto-tls false

Backout Plan:

Using AWS Console:

1. Navigate to the EKS cluster's API server configuration.
   

2. If necessary, revert the --peer-auto-tls argument to true for enabling automatic TLS encryption.
   

3. Save the configuration and redeploy the cluster.
   

Using AWS CLI:

If issues occur, revert the change using:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --peer-auto-tls true

References:

• Kubernetes API Server Command-Line Flag
  

• EKS Cluster Management