Configure A Unique CA Certificate for etcd

An XCCDF Rule

Details
Profiles
Prose

Description

A unique CA certificate should be created for etcd. OpenShift by default creates separate PKIs for etcd and the Kubernetes API server. The same is done for other points of communication in the cluster.

warning alert: Dependency Warning

This rule is only applicable for nodes that run the Etcd service. The aforementioned service is only running on the nodes labeled "master" by default.

Rationale

The Kubernetes API server and etcd utilize separate CA certificates in OpenShift. This ensures that the etcd data is still protected in the event that the API server CA is compromised.

ID: xccdf_org.ssgproject.content_rule_etcd_unique_ca
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

SRG-APP-000516-CTR-001325

2.7

CCE-87514-6
Updated: about 1 year ago