The configuration tlsSecurityProfile specifies TLS configurations
to be used while establishing connections with the externally exposed
servers. Though secure transport mode is used for establishing connections,
the protocols used may not always be strong enough to avoid interception and
manipulation of the data in transport. TLS Security profile configured should
not make use of any protocols, ciphers, and algorithms with known security
vulnerabilities.
tlsSecurityProfile can be configured to use one of custom, intermediate,
modern, or old profile. Profile Old should be avoided at all times and when using
custom profile one should be extremely careful as invalid configurations can be
catastrophic. It is always advised to configure minimum TLS version to TLSv1.2 or
latest when using Custom profile or to use predefined profiles Intermediate or
modern. If a TLS security profile is not configured, the default TLS security
profile is Intermediate.
To configure Custom tlsSecurityProfile for the Kubelet with TLSv1.2 as minimum
TLS version, create a new or modify existing KubeletConfig object along
these lines, one for every MachineConfigPool:
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
name: kubelet-tls-config-$pool
spec:
tlsSecurityProfile:
type: Custom
custom:
ciphers:
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
minTLSVersion:
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/$pool_name: ""
In order to configure this rule to check for an alternate TLS version, both var_kubelet_tls_min_version_regex
and var_kubelet_tls_min_version should be updated.
For more information, follow
OpenShift documentation:
the relevant documentation.