- Require mTLS for peer and client traffic (
--peer-client-cert-auth, --client-cert-auth).
- Use a dedicated internal CA and rotate certificates before expiry.
- Disable insecure client and peer endpoints.
¶ Authentication and Authorization
- Enable etcd auth and create role-based users for applications.
- Avoid reusing root credentials in automation.
- Restrict write access to only required key prefixes.
¶ Network and Host Security
- Bind etcd to private interfaces only.
- Limit ingress to cluster members and trusted API clients.
- Run etcd on hardened hosts with minimal exposed services.
¶ Backup and Incident Readiness
- Take encrypted snapshots on a fixed schedule.
- Validate snapshot restore into staging regularly.
- Alert on quorum risk, leader churn, and disk latency spikes.