diff --git a/docs/operations/hardening.md b/docs/operations/hardening.md
index b3f687f80..55a3b312b 100644
--- a/docs/operations/hardening.md
+++ b/docs/operations/hardening.md
@@ -81,7 +81,11 @@ kube_controller_feature_gates: ["RotateKubeletServerCertificate=true"]
 kube_scheduler_bind_address: 127.0.0.1
 
 ## etcd
-etcd_deployment_type: kubeadm
+# Running etcd (on dedicated hosts) outside the Kubernetes cluster is the most secure deployment option,
+# as it isolates etcd from the cluster's CNI network and removes direct pod-level attack vectors.
+# This approach prevents RBAC misconfigurations that potentially compromise etcd,
+# creating an additional security boundary that protects the cluster's critical state store.
+etcd_deployment_type: host
 
 ## kubelet
 kubelet_authorization_mode_webhook: true