github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #1765 from csschwe/support_tls_min_version 

Feature Request #1741: Adding support for tls minimum version
pull/1777/head
Darren Shepherd 2020-05-07 08:24:10 -07:00 committed by GitHub
parent cb4b34763e ca9c9c2e1e
commit 904af8fce7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
pkg/cli/server/server.go
View File

@ -21,6 +21,7 @@ import (
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"github.com/urfave/cli" "github.com/urfave/cli"
"k8s.io/apimachinery/pkg/util/net" "k8s.io/apimachinery/pkg/util/net"
kubeapiserverflag "k8s.io/component-base/cli/flag"
"k8s.io/kubernetes/pkg/master" "k8s.io/kubernetes/pkg/master"
_ "github.com/go-sql-driver/mysql" // ensure we have mysql _ "github.com/go-sql-driver/mysql" // ensure we have mysql
@ -183,6 +184,20 @@ func run(app *cli.Context, cfg *cmds.Server) error {
serverConfig.ControlConfig.Disables["ccm"] = true serverConfig.ControlConfig.Disables["ccm"] = true
} }
TLSMinVersion := getArgValueFromList("tls-min-version", cfg.ExtraAPIArgs)
serverConfig.ControlConfig.TLSMinVersion, err = kubeapiserverflag.TLSVersion(TLSMinVersion)
if err != nil {
return errors.Wrapf(err, "Invalid TLS Version %s: %v", TLSMinVersion, err)
}
TLSCipherSuites := []string{getArgValueFromList("tls-cipher-suites", cfg.ExtraAPIArgs)}
if len(TLSCipherSuites) != 0 && TLSCipherSuites[0] != "" {
serverConfig.ControlConfig.TLSCipherSuites, err = kubeapiserverflag.TLSCipherSuites(TLSCipherSuites)
if err != nil {
return errors.Wrapf(err, "Invalid TLS Cipher Suites %s: %v", TLSCipherSuites, err)
}
}
logrus.Info("Starting k3s ", app.App.Version) logrus.Info("Starting k3s ", app.App.Version)
notifySocket := os.Getenv("NOTIFY_SOCKET") notifySocket := os.Getenv("NOTIFY_SOCKET")
os.Unsetenv("NOTIFY_SOCKET") os.Unsetenv("NOTIFY_SOCKET")
@ -240,3 +255,16 @@ func knownIPs(ips []string) []string {
} }
return ips return ips
} }
func getArgValueFromList(searchArg string, argList []string) string {
var value string
for _, arg := range argList {
splitArg := strings.SplitN(arg, "=", 2)
if splitArg[0] == searchArg {
value = splitArg[1]
// break if we found our value
break
}
}
return value
}

4
pkg/cluster/https.go
View File

@ -33,7 +33,9 @@ func (c *Cluster) newListener(ctx context.Context) (net.Listener, http.Handler,
CN: "k3s", CN: "k3s",
Organization: []string{"k3s"}, Organization: []string{"k3s"},
TLSConfig: tls.Config{ TLSConfig: tls.Config{
ClientAuth: tls.RequestClientCert, ClientAuth: tls.RequestClientCert,
MinVersion: c.config.TLSMinVersion,
CipherSuites: c.config.TLSCipherSuites,
}, },
SANs: append(c.config.SANs, "localhost", "kubernetes", "kubernetes.default", "kubernetes.default.svc."+c.config.ClusterDomain), SANs: append(c.config.SANs, "localhost", "kubernetes", "kubernetes.default", "kubernetes.default.svc."+c.config.ClusterDomain),
}) })

2
pkg/daemons/config/types.go
View File

@ -122,6 +122,8 @@ type Control struct {
ClusterInit bool ClusterInit bool
ClusterReset bool ClusterReset bool
EncryptSecrets bool EncryptSecrets bool
TLSMinVersion uint16
TLSCipherSuites []uint16
BindAddress string BindAddress string
SANs []string SANs []string