Browse Source

Allow tls versions and ciphers to be configured

Add the ability to set tls version and cipher suites

Change-Id: Ifb3d1ed315c0ed8d679e5ab71cf2484dc8329dbd
Vulnerability: https://sweet32.info/
Jared Miller 2 months ago
parent
commit
8fe4333eda

+ 6
- 1
charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl View File

@@ -61,7 +61,12 @@ spec:
61 61
         {{- end }}
62 62
         {{- end }}
63 63
         {{- end }}
64
-
64
+        {{- $acceptable_keys := list "tls-min-version" "tls-cipher-suites" }}
65
+        {{- range $key, $val := .Values.apiserver.tls }}
66
+        {{- if has $key  $acceptable_keys }}
67
+        - --{{ $key }}={{ $val | quote }}
68
+        {{- end }}
69
+        {{- end }}
65 70
       ports:
66 71
         - containerPort: {{ .Values.network.kubernetes_apiserver.port }}
67 72
 

+ 6
- 0
charts/apiserver/values.yaml View File

@@ -121,6 +121,12 @@ apiserver:
121 121
   etcd:
122 122
     endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local
123 123
   host_etc_path: /etc/kubernetes/apiserver
124
+#XXX another possible configuration
125
+#  tls:
126
+#    tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
127
+#    # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
128
+#    #Possible values: VersionTLS10, VersionTLS11, VersionTLS12
129
+#    tls-min-version: 'VersionTLS12'
124 130
 
125 131
 network:
126 132
   kubernetes_apiserver:

Loading…
Cancel
Save