search

mozilla / ssl-config-generator

Mozilla SSL Configuration Generator
https://ssl-config.mozilla.org/
Mozilla Public License 2.0
357 stars 59 forks source link

Add support for Kubelet #197

Open atombrella opened 1 year ago

atombrella commented 1 year ago

I need to work a bit with this, but it's a good first take. Those settings are what the CIS Kubernetes Benchmarks recommend.

atombrella commented 5 months ago

@janbrasna @gene1wood Thank you for the feedback!

I'm sorry it took me a while to get back to this. I've posted a couple of screenshots from my local setup. The SSL configurator does indeed start, and you can select either Docker has been helpful to avoid cluttering my local setup; I left a PR to add a Dockerfile to the repository, but haven't received any comments/review. The PR is https://github.com/mozilla/ssl-config-generator/pull/178 I did not know about the netlify functionality.

The configuration file doesn't seem to be very common. Instead, the kube-apiserver.yaml is more common. Thus, I've posted the recommendation that kube-bench gives. The tool implements all of the guidelines from the CIS Kubernetes Benchmark.

4.2.13 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values.
If using executable arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the --tls-cipher-suites parameter as follows, or to a subset of these values.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

One question that is a bit vague to me, is whether I should leave out the cipher suite parameter for TLS 1.3, instead of keeping it blank.

janbrasna commented 5 months ago

@atombrella I've already written the suggested array check above in https://github.com/mozilla/ssl-config-generator/pull/197#discussion_r1482358380 for you incl. the brackets. Same with golang's TLS version formats https://github.com/mozilla/ssl-config-generator/pull/197#discussion_r1482351808, if that makes sense you can click-to-commit directly from the suggestion diff.

(Netlify is currently not linked to this repo but I'm slowly working on it. The preview is from my QA pull testing…)

(The dockerfile PR needs also some love so that's not priority right now; since recently the stack has been updated to hopefully enable higher node versions to plug into automation, so when I have some time I'll check node 20 or LTS compatibility, that's higher priority to work on local machines with newer engines than 12 or 14…)