From 9ded45f70319f62a90b601c7cf9c6cdaebfc0b44 Mon Sep 17 00:00:00 2001
From: Bas <bas.meijer@me.com>
Date: Mon, 6 Oct 2025 11:07:00 +0200
Subject: [PATCH] Documentation - hardening.md - etcd_deployment_type: host
 (#12520)

* Fix for #12447

Signed-off-by: Bas Meijer <bas.meijer@enexis.nl>

* Update hardening.md

Co-authored-by: spatterlight <81454789+spatterIight@users.noreply.github.com>

---------

Signed-off-by: Bas Meijer <bas.meijer@enexis.nl>
Co-authored-by: spatterlight <81454789+spatterIight@users.noreply.github.com>
---
 docs/operations/hardening.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/operations/hardening.md b/docs/operations/hardening.md
index b3f687f80..55a3b312b 100644
--- a/docs/operations/hardening.md
+++ b/docs/operations/hardening.md
@@ -81,7 +81,11 @@ kube_controller_feature_gates: ["RotateKubeletServerCertificate=true"]
 kube_scheduler_bind_address: 127.0.0.1
 
 ## etcd
-etcd_deployment_type: kubeadm
+# Running etcd (on dedicated hosts) outside the Kubernetes cluster is the most secure deployment option,
+# as it isolates etcd from the cluster's CNI network and removes direct pod-level attack vectors.
+# This approach prevents RBAC misconfigurations that potentially compromise etcd,
+# creating an additional security boundary that protects the cluster's critical state store.
+etcd_deployment_type: host
 
 ## kubelet
 kubelet_authorization_mode_webhook: true