Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers

An XCCDF Rule

Description

Ensure that the Ingress Controller is configured to only use strong cryptographic ciphers.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default API endpoint to the local /apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default file.

Rationale

TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.

ID: xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_ingresscontroller
Severity: Medium
References: 4.2.13
Updated: about 1 year ago

---
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: default
  namespace: openshift-ingress-operatorspec:
  tlsSecurityProfile:
    custom:
      ciphers:
      - ECDHE-ECDSA-AES128-GCM-SHA256
      - ECDHE-RSA-AES128-GCM-SHA256
      - ECDHE-RSA-AES256-GCM-SHA384
      minTLSVersion: VersionTLS12
    type: Custom

Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers

Description

Rationale

Remediation - Kubernetes Patch