Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression: TLS Ciphersuite: restrict to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 #376

Merged
merged 1 commit into from
Jan 10, 2020

Conversation

Pluies
Copy link
Contributor

@Pluies Pluies commented Nov 28, 2019

Description of changes:

See section 2.1.14 of the CIS benchmark:

[2.1.14] Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

Note that this is a regression, this had been set previously in PR #276
but got lost in #352.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

See section 2.1.14 of the CIS benchmark:

> [2.1.14] Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
> If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
> If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and set the below parameter.
> --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

Note that this is a regression, this had been set previously in PR awslabs#276
but got lost in awslabs#352.
@Pluies
Copy link
Contributor Author

Pluies commented Nov 28, 2019

cc @micahhausler as you approved #276 :)

@Pluies
Copy link
Contributor Author

Pluies commented Dec 18, 2019

Ping @micahhausler - hopefully that PR doesn't get forgotten (I realise I pushed it just before re:invent, which must be a busy time!)
Or let me know if I should tag somebody else :)

@mogren mogren requested a review from micahhausler December 19, 2019 01:19
@Pluies
Copy link
Contributor Author

Pluies commented Jan 8, 2020

(Related to issue #99 )

Copy link

@mogren mogren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Pluies, LGTM!

@mogren mogren merged commit 6c5c5a1 into awslabs:master Jan 10, 2020
@M00nF1sh
Copy link
Member

i believe this breaks our master->kubelet communication :(

@Pluies
Copy link
Contributor Author

Pluies commented Jan 22, 2020

@M00nF1sh argh! Sorry about that, and thanks for fixing it in #403 !

@M00nF1sh
Copy link
Member

@M00nF1sh argh! Sorry about that, and thanks for fixing it in #403 !

np 🤣

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants