[Feature] Support for setting tls-min-version and tls-cipher-suites with kubelet-config

hobti01 commented 1 year ago

Is your feature request related to a problem? Please describe. I would like to limit the TLS version and TLS cipher suites used by the kubelet when communicating with the control plane. Kubelet supports this with the arguments --tls-min-version and --tls-cipher-suites. Allowed values are documented here https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

Although I could not notice schema validation of the JSON file within the az cli code, these configuration options are not available according to https://learn.microsoft.com/en-us/azure/aks/custom-node-configuration

Describe the solution you'd like It would be great to allow the configuration of these options within the JSON file consumed by --kubelet-config, e.g. to require TLS 1.2 or higher:

{
 "tlsMinVersion": "VersionTLS12",
 "tlsCipherSuites": [
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
  ]
}

Describe alternatives you've considered Using a DaemonSet to rewrite the kubelet configuration after node startup has been considered, but this would allow insecure communication until the DaemonSet executes and the kubelet or node is restarted.

Additional context In high security environments, the specification of the TLS version and allowed cipher suites is required. Allowing the configuration of these settings would enhance the suitability of AKS for these environments.