Ensure TLS v1.2 is minimum for Openshift master and worker nodes

Description

Ensure that the Kubelet is configured to only use strong cryptographic ciphers. To set the cipher suites for the kubelet, create new or modify existing KubeletConfig object along these lines, one for every MachineConfigPool:

  apiVersion: machineconfiguration.openshift.io/v1
  kind: KubeletConfig
  metadata:
     name: kubelet-config-$pool
  spec:
      machineConfigPoolSelector:
          matchLabels:
              pools.operator.machineconfiguration.openshift.io/$pool_name: ""
      kubeletConfig:
        tlsMinVersion: VersionTLS12

Rationale

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. The system must implement cryptographic modules adhering to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

ID: xccdf_org.ssgproject.content_rule_tls_version_check_masters_workers
Severity: Medium
References: Req-4.1

CCE-85864-7
Updated: about 1 year ago