Ensure IngressController is not configured to use Old tlsSecurityProfile
An XCCDF Rule
Description
The configuration tlsSecurityProfile specifies TLS configurations
to be used while establishing connections with the externally exposed
servers. Though secure transport mode is used for establishing connections,
the protocols used may not always be strong enough to avoid interception and
manipulation of the data in transport. TLS Security profile Old should be
avoided, as it supports vulnerable protocols, ciphers, and algorithms which
could lead to security breaches.
To update tlsSecurityProfile from Old to Intermediate use the following command:
oc patch -n openshift-ingress-operator ingresscontrollers.operator.openshift.io default --type 'json' --patch '[{"op": "add", "path": "/spec/tlsSecurityProfile/intermediate", "value": {}}, {"op": "replace", "path": "/spec/tlsSecurityProfile/type", "value": "Intermediate"}, {"op": "remove", "path": "/spec/tlsSecurityProfile/old"}]'
For more information, follow
OpenShift documentation:
the relevant documentation.
warning alert: Warning
/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default API endpoint to the local Rationale
The authenticity and integrity of the container platform and communication between nodes and components must be secure. If an insecure protocol, cipher, or algorithms is used, during transmission of data, the data can be intercepted and manipulated. To thwart the manipulation of the data during transmission secure protocol, cipher and algorithms must be used.
- ID
- xccdf_org.ssgproject.content_rule_ingress_controller_tls_security_profile_not_old
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec: