Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers

An XCCDF Rule

Description

Ensure that the Ingress Controller is configured to only use strong cryptographic ciphers.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default API endpoint to the local /apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default file.

Rationale

TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.

ID: xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_ingresscontroller
Severity: Medium
References: 4.2.12

2.2 2.2.1
Updated: over 1 year ago

Remediation Templates

apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: default
  namespace: openshift-ingress-operator
spec:  tlsSecurityProfile:
    custom:
      ciphers:
      - ECDHE-ECDSA-AES128-GCM-SHA256
      - ECDHE-RSA-AES128-GCM-SHA256
      - ECDHE-ECDSA-CHACHA20-POLY1305
      - ECDHE-RSA-AES256-GCM-SHA384
      - ECDHE-RSA-CHACHA20-POLY1305
      - ECDHE-ECDSA-AES256-GCM-SHA384
      - TLS_AES_128_GCM_SHA256
      - TLS_AES_256_GCM_SHA384
      - TLS_CHACHA20_POLY1305_SHA256
      minTLSVersion: VersionTLS12
    type: Custom

Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers

Description

Rationale

Remediation Templates

A Kubernetes Patch