Kubernetes CKS sample exam question 2 with answer - TLS settings in Kubernetes API server

Question:

You have been tasked with changing the TLS settings for the API server. Edit the configuration so that the following criteria are fulfilled:

The TLS cipher suites should only allow TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
The minimum TLS version supported should be 1.2.
Ensure that the API server process has been restarted once the relevant configuration changes have been made.

Answer:

Go to Kubernetes documentation and search for kube-apiserver flags. You will be given by this URL:

https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/

which lists kube-apiserver flags. Search the page for tls and you will get the following parameters:

--tls-cipher-suites strings
Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
--tls-min-version string
Minimum TLS version supported. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13

According to above, modify kube-apiserver manifest file and add/change them:

vim /etc/kubernetes/manifests/kube-apiserver.yaml

to be like this:

...
spec:
  containers:
  - command:
    - kube-apiserver
    - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - --tls-min-version=VersionTLS12
...

Save changes and exit vim. Wait to kube-apiserver to restart. After it is restarted, do a describe of the pod and check if the flags are there:

kubectl -n kube-system describe pod kube-apiserver-controlplane

If the command responds with a connection error, then the API server Pod is in the process of being restarted or you introduced a configuration issue. Check the API server log files under /var/log/pods if the Pod no longer comes up after a reasonable amount of time.