etcd
A distributed, strongly consistent key-value store used as the primary datastore for Kubernetes cluster state, service discovery, and distributed configuration management across cloud-native infrastructure.
What is etcd?
The etcd image packages the etcd server and etcdctl client so you can run a distributed key-value store in containers without installing etcd directly on the host. etcd is the backbone of every Kubernetes cluster — it stores all cluster state, including node registrations, pod specs, secrets, ConfigMaps, and RBAC policies. It uses the Raft consensus algorithm to guarantee strong consistency across a cluster of nodes, making it the authoritative source of truth for control plane operations. Beyond Kubernetes, etcd is used directly for distributed locking, leader election, and service discovery in systems like CoreDNS and Patroni.
What is Echo's etcd image?
Echo's etcd image is a hardened build of etcd on Echo's hardened base. Echo images are designed to be a drop-in replacement: change the FROM line in your Dockerfile and CVEs go to zero without breaking your cluster or distributed system. Every image is tested across clouds, image use cases, and deployment targets. Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. For production Kubernetes control plane deployments, the distroless variant minimizes attack surface while keeping Raft consensus, peer communication, and client API behavior fully intact; the default variant suits platform teams that need etcdctl access or shell-based operational tooling for backup and restore workflows.
What is the difference between Echo's etcd image and the public etcd image?
Public etcd images ship with OS-level tooling that is convenient for operational tasks but contributes CVEs that accumulate on one of the most sensitive components in your infrastructure. A compromised or vulnerable etcd instance exposes every secret, every configuration, and every piece of cluster state — making it a high-value target that demands a clean image. Echo's build retains everything etcd needs for consensus, peer replication, and client serving while removing the packages that don't belong in a production control plane container. As we covered in our post on key container security risks and vulnerabilities, control plane components like etcd represent the highest-impact attack surface in a Kubernetes environment. Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown — with vulnerabilities triaged within 24 hours. Echo images are recognized by all major scanners and mirrored to all major registries, so they fit into existing pipelines without changing your registry, scanner, or runtime tooling.
FAQ
Can I replace my etcd image with Echo's etcd image?
Yes. Echo's etcd image is a drop-in replacement. Update the FROM line in your Dockerfile or the image reference in your control plane manifests and your cluster keeps running — the CVEs disappear, the behavior doesn't. Raft consensus, peer communication, client API endpoints, and etcdctl interactions all continue to work without any changes to your existing etcd configuration or cluster topology.
Is Echo's etcd image FIPS-validated?
Yes. Echo's FIPS-validated images use cryptographic modules with an active FIPS 140-3 CMVP certificate, making them fit for federal use — unlike FIPS-compliant images that haven't been validated. This is particularly important for etcd, where all cluster secrets and sensitive configuration data pass through the datastore and must meet cryptographic requirements inside a FedRAMP boundary.
What is Echo's vulnerability management SLA on the etcd image?
Echo commits to a 7-day SLA for critical and high severity vulnerabilities, and 10 days for medium, low, and unknown — with vulnerabilities triaged within 24 hours. Patches are mirrored automatically into your private registry so you're always running a clean version — essential for a control plane component that is rarely cycled and directly stores cluster secrets.
Is Echo's etcd image distroless?
Echo ships every image in two variants: a distroless variant optimized for runtime use, and a default variant that includes essential build tools, package managers, and shells. For production control plane deployments, the distroless variant is the leaner, more secure choice; for platform teams that rely on etcdctl or shell access for backup, restore, and defragmentation workflows, the default variant is the right fit.
How does Echo achieve such a drastic CVE reduction in etcd?
Echo's etcd image is built from source with only the absolute essentials needed to run the key-value store workload, which significantly shrinks the attack surface. Echo also patches aggressively over time, with backports available so you can stay on the etcd version that works for your Kubernetes cluster without forcing a functional change for the sake of security.
Will Echo's etcd image help us achieve FedRAMP?
Yes. The hard parts of FedRAMP — managing vulnerabilities, applying fixes, and using FIPS-validated cryptography — are baked into Echo images, including STIG-hardened configuration and ConMon/POA&M-ready reporting. For platform teams running Kubernetes control planes under an ATO, Echo's hardened etcd image keeps the most sensitive component of your cluster in-boundary and compliant.
.avif)
