Enable TLS and other security features

Improve this page by contributing to our documentation.

The following sections describe the options available for improving the security of your etcd deployment.

Configure RBAC

In order to enable Role-Based Access Control for etcd, set the following parameters:

auth.rbac.enabled=true
auth.rbac.rootPassword=ETCD_ROOT_PASSWORD

These parameters create a root user with an associate root role with access to everything. The remaining users will use the guest role and won’t have permissions to do anything.

Configure TLS for server-to-server communications

In order to enable secure transport between peer nodes deploy the helm chart with these options:

auth.peer.secureTransport=true
auth.peer.useAutoTLS=true

Configure certificates for client communication

In order to enable secure transport between client and server, create a secret containing the certificate and key files and the CA used to sign the client certificates. In this case, create the secret and then deploy the chart with these options:

auth.client.secureTransport=true
auth.client.enableAuthentication=true
auth.client.existingSecret=etcd-client-certs

Learn more about the etcd security model and how to generate self-signed certificates for etcd.

Kubeapps

Kubernetes Tutorials

Documentation

Tutorials

Support

Open Source

We're hiring

Resources

Newsroom

Careers

Enable TLS and other security features

Configure RBAC

Configure TLS for server-to-server communications

Configure certificates for client communication

Products

Projects

Solutions

Company

Legal

Support