Question:
You have been tasked with changing the TLS settings for the API server. Edit the configuration so that the following criteria are fulfilled:
The TLS cipher suites should only allow TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
The minimum TLS version supported should be 1.2.
Ensure that the API server process has been restarted once the relevant configuration changes have been made.
Answer:
Go to Kubernetes documentation and search for kube-apiserver flags. You will be given by this URL:
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
which lists kube-apiserver flags. Search the page for tls and you will get the following parameters:
--tls-cipher-suites strings
Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
--tls-min-version string
Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
According to above, modify kube-apiserver manifest file and add/change them:
vim /etc/kubernetes/manifests/kube-apiserver.yaml
to be like this:
...
spec:
containers:
- command:
- kube-apiserver
- --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- --tls-min-version=VersionTLS12
...
Save changes and exit vim. Wait to kube-apiserver to restart. After it is restarted, do a describe of the pod and check if the flags are there:
kubectl -n kube-system describe pod kube-apiserver-controlplane
If the command responds with a connection error, then the API server Pod is in the process of being restarted or you introduced a configuration issue. Check the API server log files under /var/log/pods if the Pod no longer comes up after a reasonable amount of time.