Documentation - hardening.md - etcd_deployment_type: host (#12520)

* Fix for #12447 Signed-off-by: Bas Meijer <bas.meijer@enexis.nl> * Update hardening.md Co-authored-by: spatterlight <81454789+spatterIight@users.noreply.github.com> --------- Signed-off-by: Bas Meijer <bas.meijer@enexis.nl> Co-authored-by: spatterlight <81454789+spatterIight@users.noreply.github.com>
2025-12-13 21:34:40 +03:00 · 2025-10-06 11:07:00 +02:00
parent 270ff65992
commit 9ded45f703
1 changed files with 5 additions and 1 deletions
--- a/docs/operations/hardening.md
+++ b/docs/operations/hardening.md
@@ -81,7 +81,11 @@ kube_controller_feature_gates: ["RotateKubeletServerCertificate=true"]
 kube_scheduler_bind_address: 127.0.0.1

 ## etcd
-etcd_deployment_type: kubeadm
+# Running etcd (on dedicated hosts) outside the Kubernetes cluster is the most secure deployment option,
+# as it isolates etcd from the cluster's CNI network and removes direct pod-level attack vectors.
+# This approach prevents RBAC misconfigurations that potentially compromise etcd,
+# creating an additional security boundary that protects the cluster's critical state store.
+etcd_deployment_type: host

 ## kubelet
 kubelet_authorization_mode_webhook: true