Skip to content
ATO Pathways
  Log In

Ensure Kubelet is configured with allowed TLS versions

An XCCDF Rule

Description

The configuration tlsSecurityProfile specifies TLS configurations to be used while establishing connections with the externally exposed servers. Though secure transport mode is used for establishing connections, the protocols used may not always be strong enough to avoid interception and manipulation of the data in transport. TLS Security profile configured should not make use of any protocols, ciphers, and algorithms with known security vulnerabilities.

tlsSecurityProfile can be configured to use one of custom, intermediate, modern, or old profile. Profile Old should be avoided at all times and when using custom profile one should be extremely careful as invalid configurations can be catastrophic. It is always advised to configure minimum TLS version to TLSv1.2 or latest when using Custom profile or to use predefined profiles Intermediate or modern. If a TLS security profile is not configured, the default TLS security profile is Intermediate.

To configure Custom tlsSecurityProfile for the Kubelet with TLSv1.2 as minimum TLS version, create a new or modify existing KubeletConfig object along these lines, one for every MachineConfigPool: 

  apiVersion: machineconfiguration.openshift.io/v1
  kind: KubeletConfig
  metadata:
      name: kubelet-tls-config-$pool
  spec:
      tlsSecurityProfile:
          type: Custom
          custom:
              ciphers:
              - ECDHE-ECDSA-CHACHA20-POLY1305
              - ECDHE-RSA-CHACHA20-POLY1305
              - ECDHE-RSA-AES128-GCM-SHA256
              - ECDHE-ECDSA-AES128-GCM-SHA256
              minTLSVersion: 
      machineConfigPoolSelector:
          matchLabels:
              pools.operator.machineconfiguration.openshift.io/$pool_name: ""
In order to configure this rule to check for an alternate TLS version, both var_kubelet_tls_min_version_regex and var_kubelet_tls_min_version should be updated.

For more information, follow OpenShift documentation: the relevant documentation.

Rationale

The authenticity and integrity of the container platform and communication between nodes and components must be secure. If an insecure protocol, cipher, or algorithms is used, during transmission of data, the data can be intercepted and manipulated. To thwart the manipulation of the data during transmission secure protocol, cipher and algorithms must be used.

ID
xccdf_org.ssgproject.content_rule_kubelet_configure_tls_min_version
Severity
Medium
References
Updated



Remediation - Kubernetes Patch

---
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
spec:
  kubeletConfig:
    tlsMinVersion: "{{.var_kubelet_tls_min_version}}"