Reputation: 1863
Kubernetes change cipher for certificates
I have been poring over links related to kubeadm to try and change the cipher on my Kubernetes cluster certificate. The problem is that I need to disable DES/3DES so that this command will fail:
openssl s_client -connect IP:2379 -cipher "DES:3DES" -tls1_2
Some of the links I've looked through so far (if I list them all, this post will get too long):
- SSL Vulnerability Sweet32 (how this all started)
- kube-apiserver configuration
- 12 Kubernetes configuration best practices
- kubeadm alpha certs renew all
I was hoping that changing the kube-apiserver configuration to use these flags (in the /etc/kubernetes/manifests/kube-apiserver.yaml file) would help, but it did not (pardon typos, I cannot copy/paste out of the client I have to use):
...
spec:
containers:
- command:
- kube-apiserver
- ...
- --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- --tls-min-version=VersionTLS12
image: k8s.gcr.io/kube-apiserver:v1.18.6
...
I could manually regenerate all the certificates in /etc/kubernetes/pki following these guidelines, but I am hoping to stick with the kubeadm or other Kubernetes-provided tools to auto-handle it. I can't find any documentation on manually generating each file on my own that is set up for people completely new to the administration.
Help, links, suggestions, etc. are appreciated! I'm not allowed to use the cluster or even demonstrate functionality to people until this is done, unfortunately.
Upvotes: 2
Views: 8554
Answers (1)
Reputation: 553
In our vanilla kubernetes 1.18.3 installation on Ubuntu 16.04 setup with kubeadm we solved this the following:
kubelets (port 10250):
in File /var/lib/kubelet/config.yaml add this:
tlsCipherSuites: [TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
restart the kubelet.service via systemctl restart kubelet.service
kube-api-server (port 6443):
in File /etc/kubernetes/manifests/kube-apiserver.yaml add a additional array entry in spec.containers.command
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Delete the pod kube-apiserver in namespace kube-system if necessary.
edit: don't created a e.g. backupfile from /etc/kubernetes/manifests/kube-apiserver.yaml in the same directory. kube-api-server will apply this backupfile as well.
Upvotes: 7
Related Questions
- SSL/TLS certificates management in Kubernetes
- Using a custom certificate for the Kubernetes api server with minikube
- How to add certificates to Kube config file
- How to renew kubernetes ssl certs
- Kube-apiserver complains about remote error bad certificate
- Permanently replacing API server certificates
- How to add encryption-provider-config option to kube-apiserver?
- How Do I Properly Set --kubelet-certificate-authority apiserver parameter?
- Update tls secret for Ambassador
- How to use the existing certificates in Kubernetes cluster