How to change etcd cipher suite

Hardening ETCD cluster communication

Synopsis:

This article will walk Rancher administrators through hardening the cluster communication between etcd nodes. We'll go over configuring etcd to use specific ciphers which enable stronger encryption for securing intra-cluster etcd traffic.

Configuring etcd (rke and Rancher UI):

To make the modifications we'll be configuring our rke cluster YAML spec. This setting would be defined, then applied at the command line with the rke CLI, or alternately via the Rancher UI. From within the Rancher UI, navigate to the cluster you're looking to modify, and click edit under the 3 dot menu. From there, you should see a button labeled 'Edit as Yaml'. At the cluster YAML spec view we define the cipher-suites parameter under the etcd service definition. We recommend testing this out in a non-vital cluster before rolling out on important clusters to become familiar with the process.

services:
  etcd:
    extra_args:
      cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
      election-timeout: "5000"
      heartbeat-interval: "500"

Note:

The cipher suites defined in the example could trade off speed for stronger encryption. Consider the level of ciphers in use and how they could impact the performance of an etcd cluster. Testing should be done to factor in the spec of your hosts (CPU, memory, disk, network, etc...) and the typical types of interacting with Kubernetes as well as the number of resources under management within the k8s cluster.