Removing weak ciphers from kube-apiserver

This commit will remove the support for ciphers considered weak based on the NIST list. All the ciphers are present in kube-apiserver documentation: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 Test Plan: PASS: Run build-pkgs -c -p playbookconfig PASS: Run build-image PASS: Run a fresh install and verify if the cipher-suites are present in kube-apiserver.yaml. PASS: Run nmap and verify if only listed ciphers are returned. PASS: Run bootstrap and unlock and verify if k8s is healthy. Closes-Bug: 2054813 Change-Id: Icf61080a3bd981c5c3383834b2cbf10ce424492b Signed-off-by: Karla Felix <karla.karolinenogueirafelix@windriver.com>
2024-03-04 07:23:49 -03:00
parent 32bbc218f4
commit 1bb2f41f45
1 changed files with 1 additions and 1 deletions
--- a/playbookconfig/src/playbooks/roles/bootstrap/prepare-env/vars/main.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/prepare-env/vars/main.yml
@@ -50,7 +50,7 @@ apiserver_extra_args_defaults:
  tls-min-version: "VersionTLS12"
 # The source of cipher suites is from this list:
 # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
-  tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"# yamllint disable-line rule:line-length
+  tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384"# yamllint disable-line rule:line-length

 controllermanager_extra_args_defaults:
  node-monitor-period: "2s"