Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers

Description

Ensure that the Kubelet is configured to only use strong cryptographic ciphers. To set the cipher suites for the kubelet, create new or modify existing KubeletConfig object along these lines, one for every MachineConfigPool:

  apiVersion: machineconfiguration.openshift.io/v1
  kind: KubeletConfig
  metadata:
     name: kubelet-config-$pool
  spec:
      machineConfigPoolSelector:
          matchLabels:
              pools.operator.machineconfiguration.openshift.io/$pool_name: ""
      kubeletConfig:
        tlsCipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex and var_kubelet_tls_cipher_suites have to be set

Rationale

TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.

ID: xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_master
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

SRG-APP-000516-CTR-001325

4.2.13
Updated: about 1 year ago