search

sapcc / kubernikus

Kubernetes as a Service for Openstack
Apache License 2.0
139 stars 26 forks source link

Only offer secure ciphers in kubelet server #883

Closed jknipper closed 6 months ago

jknipper commented 6 months ago

This config change limits kubelet server to only offer TLS 1.3 ciphers. Those are:

 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384                             
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256

See attachment for detailed scan.

References: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration https://pkg.go.dev/crypto/tls#pkg-constants https://nvd.nist.gov/vuln/detail/CVE-2016-2183

testssl.txt

SuperSandro2000 commented 6 months ago

I would go on the save side and also allow TLS 1.2. Not everything support 1.3.

jknipper commented 6 months ago

Ok, I added a cipher list which is what we use in the apiserver plus TLS_CHACHA20_POLY1305_SHA256 that is offered in TLS1.3 default configuration. Also attached scan results for TLS1.2.

jknipper commented 6 months ago

testssl12.txt