mirror of https://github.com/k3s-io/k3s
b7100f1ee7
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Support for custom tls cipher suites in api server and kubelet **What this PR does / why we need it**: This pull request aims to solve the problem of users not able to set custom cipher suites in the api server. Several users have requested this given that some default ciphers are vulnerable. There is a discussion in #41038 of how to implement this. The options are: - Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic. - Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers. I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now). **Which issue this PR fixes** fixes #41038 **Special notes for your reviewer**: The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the `type CipherSuitesFlag` to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go. If you think there is another way to implement this, let me know. If you want to test it out, this is a ciphers combination i tested without the weak ones: ``` TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ``` If this is merged i will implement the same for the Kubelet. **Release note**: ```release-note kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag ``` |
||
|---|---|---|
| .. | ||
| api | ||
| apis | ||
| auth | ||
| capabilities | ||
| client | ||
| cloudprovider | ||
| controller | ||
| credentialprovider | ||
| features | ||
| fieldpath | ||
| generated | ||
| kubeapiserver | ||
| kubectl | ||
| kubelet | ||
| kubemark | ||
| master | ||
| printers | ||
| probe | ||
| proxy | ||
| quota | ||
| registry | ||
| routes | ||
| scheduler | ||
| security | ||
| securitycontext | ||
| serviceaccount | ||
| ssh | ||
| util | ||
| version | ||
| volume | ||
| watch | ||
| .import-restrictions | ||
| BUILD | ||
| OWNERS | ||