search

aquasecurity / kube-bench

Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark
Apache License 2.0
7.08k stars 1.23k forks source link

fix: correct TLSCipherSuites to tlsCipherSuites in 4.2.13 #1703

Closed Nezz7 closed 1 month ago

Nezz7 commented 1 month ago

The message in 4.2.13 is misleading as it mentions TLSCipherSuites while the correct field name is called tlsCipherSuites

4.2.13 If using a Kubelet config file, edit the file to set TLSCipherSuites: to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values.

I updated the kubelet config file to:

...
TLSCipherSuites:
  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  - TLS_RSA_WITH_AES_256_GCM_SHA384
  - TLS_RSA_WITH_AES_128_GCM_SHA256

The Kubelet began to display the following error: Oct 14 21:16:32 controlplane kubelet[36330]: I1014 21:16:32.666057 36330 codec.go:100] "Using lenient decoding as strict decoding failed" err="strict decoding error: unknown field \"TLSCipherSuites\""

I checked the Kubernetes documentation Kubelet configuration file, and I found out that the field is called tlsCipherSuites

Using tlsCipherSuites instead fixed the issue. [PASS] 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Manual)

CLAassistant commented 1 month ago

CLA assistant check
All committers have signed the CLA.

afdesk commented 1 month ago

@Nezz7 thanks for your contribute! we'll take a look at this PR!