Information
etcd should be configured to make use of TLS encryption for client connections.
Rationale:
etcd is a highly-available key value store used by Kubernetes deployments for persistent storage of all of its REST API objects. These objects are sensitive in nature and should be protected by client authentication. This requires the API server to identify itself to the etcd server using a client certificate and key.
Impact:
TLS and client certificate authentication are configured by default for etcd.
Solution
OpenShift automatically manages TLS and client certificate authentication for etcd. This is not configurable.
Default Value:
By default, OpenShift uses X.509 certificates to provide secure communication to etcd. OpenShift configures these automatically. OpenShift does not use the etcd-certfile or etcd-keyfile flags. OpenShift generates the necessary files and sets the arguments appropriately.