KubeDojo
kcsasecuritytlsencryptionetcd

etcd Security and Encryption

AK
by Alexis Kinsella··15 min read
etcd Security and Encryption

Every Secret, RBAC binding, and workload spec in your cluster lives in etcd. Compromise it and you have root-equivalent access: read credentials, modify permissions, inject workloads, all without touching the Kubernetes API.

The Kubernetes documentation puts it plainly: "Access to etcd is equivalent to root permission in the cluster." This lesson covers the three layers that protect etcd: TLS for data in transit, encryption providers for data at rest, and network isolation to restrict who can reach it in the first place.

Sign in to access this lesson

Create a free account or sign in to enroll in the KCSA — Kubernetes and Cloud Native Security Associate course and access all 39 lessons.

KCSA — Kubernetes and Cloud Native Security Associate

39 lessons

Sign inCreate account
Browse the full course curriculum →