TLS server configuration hardening #2850
Conversation
| cipherSuites := make([]string, len(constant.AllowedTLS12CipherSuiteIDs)) | ||
| for i, cipherSuite := range constant.AllowedTLS12CipherSuiteIDs { | ||
| cipherSuites[i] = tls.CipherSuiteName(cipherSuite) | ||
| } | ||
|
|
There was a problem hiding this comment.
Maybe this could be a helper func in the constant package as it is used in couple different places now
There was a problem hiding this comment.
It's used in two places, one being deprecated. That's why I didn't do it. Technically, the changes in this file aren't necessary at all, since it only exists for backwards compatibility when upgrading from k0s 1.25.
There was a problem hiding this comment.
Just realizing: This is required for the <=1.25 backports.
pkg/component/controller/etcd.go
Outdated
| "--log-level": e.LogLevel, | ||
| "--peer-client-cert-auth": "true", | ||
| "--enable-pprof": "false", | ||
| // "--tls-min-version": "TLS1.2", // https://github.com/etcd-io/etcd/pull/15156 |
There was a problem hiding this comment.
I've put it here as a reminder for the future, when etcd actually supports --tls-min-version. This is not yet available as of etcd v3.5.7, but already merged to main. I can remove it if you prefer?
There was a problem hiding this comment.
Let's add a text comment with clarification for the reason, if you want, but now it looks like leftover and would be accidentally removed on the first edit of this file by somebody who doesn't have a context.
How I read this line now:
- there was an argument tls-min-version
- the given value was TLS1.2
- the reason to have this value is explained in the Add TLSv1.3 support. etcd-io/etcd#15156
- somebody commented the whole thing out due to some reason
Sorry for nitpicking here, but I always afraid of out-dated or misguiding comments, because they always make reading code harder :(
There was a problem hiding this comment.
Fair enough. Will make the doc string clearer.
Enforce TLS minimum versions and a fixed list of allowed TLS ciphers for all the TLS secured endpoints managed by k0s. This has already been the case for the API server, the kubelet and the konnectivity server. Unify the approach to also include etcd and the k0s API itself. Signed-off-by: Tom Wieczorek <twieczorek@mirantis.com>
twz123
added
security fix
area/controlplane
backport/release-1.26
|
Backport failed for Please cherry-pick the changes locally. git fetch origin release-1.26
git worktree add -d .worktree/backport-2850-to-release-1.26 origin/release-1.26
cd .worktree/backport-2850-to-release-1.26
git checkout -b backport-2850-to-release-1.26
ancref=$(git merge-base c08e7b57fbd7b668ed6df1b6eba27ed8d697aa42 55f75fd533a8fc747205c42c226d580b927eb4fc)
git cherry-pick -x $ancref..55f75fd533a8fc747205c42c226d580b927eb4fc |
Description
Enforce TLS minimum versions and a fixed list of allowed TLS ciphers for all the TLS secured endpoints managed by k0s. This has already been the case for the API server, the kubelet and the konnectivity server. Unify the approach to also include etcd and the k0s API itself.
Type of change
How Has This Been Tested?
Checklist: