Clarification on embedded etcd over insecure networks

[H0d3nk0b0ld]

The k3s docs on distributed hybrid or multicloud clusters say that...

Embedded etcd is not supported in this type of deployment. If using embedded etcd, all server nodes must be reachable to each other via their private IPs. Agents may be distributed over multiple networks, but all servers should be in the same location.

Is this limitation because of (A) performance concerns, (B) security concerns, or (C) something else?

I am asking since I want to operate a k3s cluster, with HA, in a network where the traffic between nodes could potentially be read by untrusted third parties, but the latencies are low.

I know that etcd supports TLS but does k3s enable it by default for embedded etcd? And if it doesn't, could I just enable it by passing flags to etcd (for example, --auto-tls --peer-auto-tls) via the --etcd-arg k3s server flag? I haven't found any documentation on this yet.

[brandond]

The concern is not about insecure networks. Communication between etcd cluster members is secured via TLS mutual auth with a private CA managed by K3s. The decision to use node internal IPs was mostly made to avoid being dependent on DNS resolution between cluster members - and to prevent folks from trying to connect servers in different locations over public networks, which are less likely to meet the latency and throughput requirements necessary for etcd to function reliably.