consider hardening the calico etcd service

[raesene]

Describe the solution you'd like
At the moment when you spin up a default instance of the quick start, it sets-up an instance of etcd to be used by Calico.

The configuration of etcd in use, allows for unauthenticated access from a remote host, which would allow anyone on the pod network or who could otherwise access the VPC, to read or change the data held in that datastore.

repo. steps

replace 172.31.43.124 with the master node IP address for your cluster

kubectl run -it test --image=raesene/alpine-containertools /bin/ash
export ETCDCTL_API=3
etcdctl --endpoints=172.31.43.124:6666 get / --prefix

recommendation

If possible, ensure that all communications to etcd require a valid client certificate.

Environment:

• Kubernetes version: 1.13.2
• OS ): Ubuntu 18.04.1