CoursesKubernetes attack & defenseControl plane & operators

Control plane & etcd

Encrypt secrets at rest, lock the API server, guard the CA.

Expert35 min · lesson 10 of 15

The control plane is the cluster’s brain and its crown jewels — the API server, etcd, and kubelets. Compromise any of them and workload-level controls no longer matter, so hardening them is the foundation everything else rests on.

etcd, the API server, and encryption at rest

etcd stores all cluster state, and critically, Secrets are only base64-encoded there by default — so read access to etcd, or to an etcd backup, is read access to every credential in the cluster. Enable encryption at rest (ideally KMS-backed) so a datastore or backup leak does not hand over your secrets, and restrict etcd to the API server alone. The API server is the single entry point for all actions: protect it with strong authentication, RBAC authorization, comprehensive audit logging, and network restriction — never expose it broadly, and disable anonymous auth. These two components define the cluster’s trust; guard them accordingly.

encrypt secrets at rest in etcd
# EncryptionConfiguration for the API server — Secrets stored encrypted, not
# just base64. Prefer a KMS provider so the key lives outside the cluster.
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources: ["secrets"]
providers:
- kms:
name: cluster-kms
endpoint: unix:///var/run/kms.sock
- identity: {} # fallback for reads of pre-existing plaintext
# Without this, anyone who reads etcd or a backup reads every Secret.

Kubelets and the trust anchor

Each node’s kubelet exposes an API that, if it allows anonymous access, lets an attacker exec into pods and read their data — so disable anonymous auth and set the kubelet’s authorization mode to Webhook. Above all, guard the cluster CA and signing keys: they can mint trusted client certificates, so CA compromise lets an attacker forge any identity, including cluster-admin. On managed platforms (EKS/GKE/AKS) the provider hardens the control plane under a shared-responsibility model, which is a strong reason to use them — but you still own workload, RBAC, network, and node security. If a control-plane-level compromise is confirmed, assume trust is broken: rotating the CA and rebuilding may be the only safe recovery.

Hardening the control plane
datastore + API
encrypt Secrets at rest
KMS-backed EncryptionConfiguration
restrict etcd + backups
API-server-only access
API server: authn/RBAC/audit
no anonymous, not public
nodes + trust
kubelet: no anonymous auth
Webhook authz mode
guard the cluster CA
it can forge any identity
The control plane defines cluster trust. Encrypt etcd, lock the API server and kubelets, and protect the CA above all.
etcd access is every secret in the cluster
Because Secrets are base64, not encrypted, by default, anyone who reads etcd or an unprotected etcd backup obtains every credential you store. Enable KMS-backed encryption at rest, restrict etcd to the API server, and protect backups with the same rigor as the live datastore.