Enable TLS and other security features

Improve this page by contributing to our documentation.

The following sections describe the options available for improving the security of your etcd deployment.

Configure RBAC

In order to enable Role-Based Access Control for etcd, set the following parameters:


These parameters create a root user with an associate root role with access to everything. The remaining users will use the guest role and won’t have permissions to do anything.

Configure TLS for server-to-server communications

In order to enable secure transport between peer nodes deploy the helm chart with these options:


Configure certificates for client communication

In order to enable secure transport between client and server, create a secret containing the certificate and key files and the CA used to sign the client certificates. In this case, create the secret and then deploy the chart with these options:


Learn more about the etcd security model and how to generate self-signed certificates for etcd.

Last modification January 19, 2021