summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJared Miller <jmiller@mirantis.com>2019-02-13 15:57:37 -0500
committerDrew Walters <drewwalters96@gmail.com>2019-03-14 19:03:42 +0000
commit95a1a9f431e19852e36bdb9ec5de268cd59f209c (patch)
treebbe7f24d8d87edf6575e77d0a05f9656f1295383
parente4cd4cde4861d9474db6a01c70d80308f3605013 (diff)
Disable weak tls ciphers for kube-apiserver
Set `--tls-cipher-suites` to golang defaults minus 3DES Implementation of change made in https://review.openstack.org/#/c/634815/ Change-Id: Icbeded84d5973b042a779ba20569654d2d91b563
Notes
Notes (review): Code-Review+2: Matt McEuen <matt.mceuen@att.com> Code-Review+1: Vladyslav Drok <vdrok@mirantis.com> Code-Review+2: Scott Hussey <sthussey@att.com> Code-Review+1: Jeffrey Williams <jw2610@att.com> Code-Review+1: Andriy Shevchenko <huang.zhiping@99cloud.net> Code-Review+2: Evgeniy L <eli@mirantis.com> Workflow+1: Scott Hussey <sthussey@att.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Fri, 15 Mar 2019 15:49:01 +0000 Reviewed-on: https://review.openstack.org/636754 Project: openstack/airship-treasuremap Branch: refs/heads/master
-rw-r--r--global/software/charts/kubernetes/core/apiserver.yaml5
1 files changed, 5 insertions, 0 deletions
diff --git a/global/software/charts/kubernetes/core/apiserver.yaml b/global/software/charts/kubernetes/core/apiserver.yaml
index e64ed9b..b74b207 100644
--- a/global/software/charts/kubernetes/core/apiserver.yaml
+++ b/global/software/charts/kubernetes/core/apiserver.yaml
@@ -123,6 +123,11 @@ data:
123 apiserver: 123 apiserver:
124 etcd: 124 etcd:
125 endpoints: https://127.0.0.1:2378 125 endpoints: https://127.0.0.1:2378
126 tls:
127 tls-cipher-suites: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
128 # https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
129 # Possible values: VersionTLS10, VersionTLS11, VersionTLS12
130 tls-min-version: 'VersionTLS12'
126 command_prefix: 131 command_prefix:
127 - /apiserver 132 - /apiserver
128 - --service-cluster-ip-range=SERVICE_CIDR 133 - --service-cluster-ip-range=SERVICE_CIDR