github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/pkg/genericapiserver
History
k8s-merge-robot 0fc573296d Merge pull request #26169 from victorgp/master 
Automatic merge from submit-queue

Setting TLS1.2 minimum because TLS1.0 and TLS1.1 are vulnerable

TLS1.0 is known as vulnerable since it can be downgraded to SSL
https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

TLS1.1 can be vulnerable if cipher RC4-SHA is used, and in Kubernetes it is, you can check it with
`
openssl s_client -cipher RC4-SHA -connect apiserver.k8s.example.com:443
`

https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/

Test suites like Qualys are reporting this Kubernetes issue as a level 3 vulnerability, they recommend to upgrade to TLS1.2 that is not affected, quoting Qualys:

`
RC4 should not be used where possible. One reason that RC4 was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in
SSL and
TLS. However, TLSv 1.2 or later address these issues.
`
 		2016-05-29 13:24:46 -07:00
..
options pkg/master: enable certificates API and add rbac authorizer 2016-05-25 14:24:47 -07:00
OWNERS Move blunderbuss assignees into tree 2016-03-02 20:46:32 -05:00
default_storage_factory_builder.go Moving StorageFactory building logic to genericapiserver 2016-05-10 00:57:11 -07:00
default_storage_factory_builder_test.go Moving StorageFactory building logic to genericapiserver 2016-05-10 00:57:11 -07:00
doc.go Extracting APIServer machinery code into a library 2015-12-16 13:54:23 -08:00
genericapiserver.go Merge pull request #26169 from victorgp/master 2016-05-29 13:24:46 -07:00
genericapiserver_test.go followup to add http server close method 2016-05-05 12:04:41 +08:00
resource_config.go refactor resource overrides as positive logic interface 2016-03-28 09:24:49 -04:00
resource_config_test.go refactor resource overrides as positive logic interface 2016-03-28 09:24:49 -04:00
resource_encoding_config.go Storage, not Storgage 2016-05-05 12:08:22 -04:00
server_run_options_test.go kube-apiserver options should be decoupled from impls 2016-05-18 10:39:21 -04:00
storage_factory.go kube-apiserver options should be decoupled from impls 2016-05-18 10:39:21 -04:00
storage_factory_test.go kube-apiserver options should be decoupled from impls 2016-05-18 10:39:21 -04:00
tunneler.go Moving master.SSHTunneler to genericapiserver 2016-04-22 11:47:05 -07:00
tunneler_test.go Moving master.SSHTunneler to genericapiserver 2016-04-22 11:47:05 -07:00