Describe the solution you'd like
At the moment when you spin up a default instance of the quick start, it sets-up an instance of etcd to be used by Calico.
The configuration of etcd in use, allows for unauthenticated access from a remote host, which would allow anyone on the pod network or who could otherwise access the VPC, to read or change the data held in that datastore.
repo. steps
replace 172.31.43.124 with the master node IP address for your cluster
kubectl run -it test --image=raesene/alpine-containertools /bin/ashexport ETCDCTL_API=3etcdctl --endpoints=172.31.43.124:6666 get / --prefix
recommendation
If possible, ensure that all communications to etcd require a valid client certificate.
Describe the solution you'd like At the moment when you spin up a default instance of the quick start, it sets-up an instance of etcd to be used by Calico.
The configuration of etcd in use, allows for unauthenticated access from a remote host, which would allow anyone on the pod network or who could otherwise access the VPC, to read or change the data held in that datastore.
repo. steps
replace 172.31.43.124 with the master node IP address for your cluster
kubectl run -it test --image=raesene/alpine-containertools /bin/ashexport ETCDCTL_API=3etcdctl --endpoints=172.31.43.124:6666 get / --prefixrecommendation
If possible, ensure that all communications to etcd require a valid client certificate.
Environment: