Fix Sweet32 vulnerability for microk8s versions before 1.18

[vadimeisenbergibm]

Sweet32 vulnerability is described in this etcd issue and is handled by this PR in etcd. The solution is to provide a list of strong ciphers using the --cipher-suites parameter.

To apply the etcd solution described above, etcd versions v3.2.22+, v3.3.7+, and v3.4+ must be used.

Microk8s 1.18 uses etcd v3.4.3 so it is fine. The change to etcd v3.4.3 was introduced by #894. The previous microk8s versions seems to use etcd version v3.3.4, which does not have the solution to the Sweet32 vulnerability.

Is it possible to update the previous versions of microk8s to use etcd version v3.3.7 instead of v3.3.4? In particular, I am interested in microk8s v1.14/stable.

[ktsakalozos]

Hi @vadimeisenbergibm, thank you for bringing this to our attention. I added a couple of PRs to update the 1.17 and 1.16 releases. Unfortunately we do not have any incentives to provide any more patches for releases that have gone out of support from upstream [1, 2] so we will not be updating 1.14.

https://kubernetes.io/docs/setup/release/version-skew-policy/
https://github.com/kubernetes/sig-release/blob/master/releases/patch-releases.md#non-active-branch-history

[vadimeisenbergibm]

Hi @ktsakalozos, I see, thank you!

[balchua]

Pr merged into 1.17, 1.16