Ensure that the Kubernetes API Server Operator only makes use of Strong Cryptographic Ciphers

An XCCDF Rule

Description

Ensure that the Kubernetes API Server Operator is configured to only use strong cryptographic ciphers.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the /apis/operator.openshift.io/v1/kubeapiservers/cluster API endpoint to the local /apis/operator.openshift.io/v1/kubeapiservers/cluster file.

Rationale

TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.

ID: xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_kubeapiserver_operator
Severity: Medium
References: 4.2.13
Updated: about 1 year ago

---
apiVersion: operator.openshift.io/v1
kind: KubeAPIServer
metadata:
  name: cluster
spec:  unsupportedConfigOverrides:
    servingInfo:
      cipherSuites:
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_RSA_WITH_AES_256_GCM_SHA384
      - TLS_RSA_WITH_AES_128_GCM_SHA256

Ensure that the Kubernetes API Server Operator only makes use of Strong Cryptographic Ciphers

Description

Rationale

Remediation - Kubernetes Patch