search

Azure / aks-engine

AKS Engine: legacy tool for Kubernetes on Azure (see status)
https://github.com/Azure/aks-engine
MIT License
1.03k stars 522 forks source link

Failure to Create Azure Compliant Clusters #2551

Closed jaer-tsun closed 4 years ago

jaer-tsun commented 4 years ago

Describe the issue Due to ongoing effort to be Azure compliant, we need to deploy clusters with specific ssl cipher suite ordering. The following error is returned when creating a cluster. image

**AKS Engine Version*** v0.43.3

Kubernetes Version 1.14, 1.15

To Reproduce Steps to reproduce the behavior:

  1. Add the following apiServerConfig with the first OpenSSL cipher spec linked above image

  2. Deploy the cluster

Expected behavior We should not fail with VMExtension error

Screenshots If applicable, add screenshots to help explain your problem.

Additional context I'm unfamiliar with the ordering of the cipher spec, but I've tried this TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and via manual scan we see that we're missing 2 ciphers. After adding those missing ciphers we fail to deploy the cluster.

Please don't remove the text below Notify @az-policy-kube

welcome[bot] commented 4 years ago

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it.

jaer-tsun commented 4 years ago

resolved via scanner changes

sozercan commented 4 years ago

@jaer-tsun what did you mean by resolved via scanner changes? we are seeing the cipher violations in our s360