-
Notifications
You must be signed in to change notification settings - Fork 420
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsecure Default TLS Policy because of the AGIC controller using old network API version (< 2023-02-01) and deprecated Azure SDK #1620
Comments
In addition to the default here, the workaround of applying the annotation explicitly on the Ingress resource doesn't result in the SSL policy being applied by AGIC: apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress-all
annotations:
kubernetes.io/ingress.class: azure/application-gateway
appgw.ingress.kubernetes.io/ssl-redirect: "true"
appgw.ingress.kubernetes.io/ssl-policy: "AppGwSslPolicy20220101" |
@palma21 @JackStromberg could you please check if this GitHub issue is actionable to the AKS product team ? My concern is that Application Gateways created by AGIC have a Default TLS policy with the minimum protocol version set to TLS 1.0 thank you |
Acknowledging this ask, but don't have an ETA on when the behavior will change in AGIC. If using Application Gateway for Containers, we enforce TLS 1.2 or greater making it a non-issue in that solution. |
Looking at this line of code:
application-gateway-kubernetes-ingress/pkg/azure/client.go
Line 15 in 8bc1e63
I understand the AGIC controller is using a deprecated Azure SDKs and should upgraded following this guide:
https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/MIGRATION_GUIDE.md
There is an impact on security. Because the deprecated Azure SDK consumes an ARM API version lower than
2023-02-01
in the Default TLS policy the minimum protocol version is set to TLS 1.0This was originally reported by a customer here:
Azure/terraform-azurerm-aks#532
How this is actionable ?
Please patch the code to use API versions
2023-02-01
or higher, then the minimum TLS protocol version is set to 1.2Documentation reference:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview#default-tls-policy
Cc: @chixcancode @JackStromberg
The text was updated successfully, but these errors were encountered: