From 8fe4333edab84fac0679093695e3b7beab251ab3 Mon Sep 17 00:00:00 2001 From: Jared Miller Date: Mon, 4 Feb 2019 16:32:24 -0500 Subject: [PATCH] Allow tls versions and ciphers to be configured Add the ability to set tls version and cipher suites Change-Id: Ifb3d1ed315c0ed8d679e5ab71cf2484dc8329dbd Vulnerability: https://sweet32.info/ --- .../apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl | 7 ++++++- charts/apiserver/values.yaml | 6 ++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl index 73f6ccfc..9dc844f4 100644 --- a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl +++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl @@ -61,7 +61,12 @@ spec: {{- end }} {{- end }} {{- end }} - + {{- $acceptable_keys := list "tls-min-version" "tls-cipher-suites" }} + {{- range $key, $val := .Values.apiserver.tls }} + {{- if has $key $acceptable_keys }} + - --{{ $key }}={{ $val | quote }} + {{- end }} + {{- end }} ports: - containerPort: {{ .Values.network.kubernetes_apiserver.port }} diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml index b7c5ecf7..231e9e11 100644 --- a/charts/apiserver/values.yaml +++ b/charts/apiserver/values.yaml @@ -121,6 +121,12 @@ apiserver: etcd: endpoints: https://kubernetes-etcd.kube-system.svc.cluster.local host_etc_path: /etc/kubernetes/apiserver +#XXX another possible configuration +# tls: +# tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" +# # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ +# #Possible values: VersionTLS10, VersionTLS11, VersionTLS12 +# tls-min-version: 'VersionTLS12' network: kubernetes_apiserver: