Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance documentation for cipher suites #10641

Merged
merged 1 commit into from
Jan 22, 2024
Merged

Enhance documentation for cipher suites #10641

merged 1 commit into from
Jan 22, 2024

Conversation

yckaolalala
Copy link
Contributor

@yckaolalala yckaolalala commented Nov 23, 2023
edited by mzaian
Loading

What type of PR is this?

/kind documentation

What this PR does / why we need it:

  • Correct the POLY1305 cipher suites by adding the suffix _SHA256.
# echo ok | openssl s_client -connect 127.0.0.1:6443 -tls1_2 -ciphersuites TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

Error with command: "-ciphersuites TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

Reference: https://pkg.go.dev/crypto/tls#pkg-constants

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Correct the POLY1305 cipher suites by adding the suffix _SHA256

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 23, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @yckaolalala. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 23, 2023
@yankay
Copy link
Member

yankay commented Nov 23, 2023

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 23, 2023
@MrFreezeex
Copy link
Member

MrFreezeex commented Nov 23, 2023
edited
Loading

When I tried to add a TLS 1.3 cipher suite, such as TLS_AES_128_GCM_SHA256, I noticed that it is not listed in the comment.

Last time I checked you can't configure cipher suite when you force tls 1.3 it is ignored later on 🤔

yankay
yankay reviewed Nov 24, 2023
View reviewed changes
Copy link
Member

@yankay yankay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yckaolalala Thanks :-)

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml Outdated Show resolved Hide resolved
@yckaolalala
Copy link
Contributor Author

yckaolalala commented Nov 24, 2023
edited
Loading

@MrFreezeex you are correct. I've adjusted the PR message to update the documentation with references .

I use testssl.sh to scan ciphers and do some tests.
When I set the tls_min_version to VersionTLS12

tls_cipher_suites:
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 # TLS 1.2
  #- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_AES_128_GCM_SHA256 # TLS 1.3
  #- TLS_AES_256_GCM_SHA384
  - TLS_CHACHA20_POLY1305_SHA256

etcd_tls_cipher_suites:
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 # TLS 1.2
  #- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_AES_128_GCM_SHA256 # TLS 1.3
  #- TLS_AES_256_GCM_SHA384
  - TLS_CHACHA20_POLY1305_SHA256

I observed the following:

For TLS 1.2 cipher settings, both etcd and kube-api can scan TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, but there is no scanning for TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as indicated in the comment.

In TLS 1.3, all three cipher suites (TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256) are scanned in kube-api.
However, for etcd, none of these cipher suites are scanned.

I also attempted to set the tls_min_version to empty. The results are the same.

@yckaolalala
Copy link
Contributor Author

Should I just close this PR? It appears that TLS 1.3 cipher suite is not functioning as expected in the tls_cipher_suites settings.

@yankay
Copy link
Member

yankay commented Nov 27, 2023

Should I just close this PR? It appears that TLS 1.3 cipher suite is not functioning as expected in the tls_cipher_suites settings.

Thanks @yckaolalala

I'm not sure whether it should be closed :-)
There is s a good example of docs about how to config the tls of kube-apiserver,kubelet and etcd : https://access.redhat.com/documentation/en-us/openshift_container_platform/4.13/html-single/security_and_compliance/index#tls-profiles-ingress-configuring_tls-security-profile :-)

Because I have not test the config yet , so I can just give some weak suggestion :
Changing the TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 to TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 is a good idea, and we can only modify it in this PR. And it can be improved later :-)

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 29, 2023
@yckaolalala
Copy link
Contributor Author

Thanks @yankay
I've updated the PR to replace POLY1305 cipher suites.

@yckaolalala yckaolalala changed the title Enhance documentation for cipher suites and add references. Enhance documentation for cipher suites Nov 29, 2023
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 18, 2023
@yankay
Copy link
Member

yankay commented Dec 19, 2023

Thanks @yckaolalala
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yankay, yckaolalala

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 19, 2023
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 22, 2023
@VannTen
Copy link
Contributor

VannTen commented Jan 22, 2024

/lgtm
(If this does not get merged, try to repush. It loooks like the CI is not reporting the almalinux job status correctly)

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 22, 2024
@floryut
Copy link
Member

floryut commented Jan 22, 2024

/lgtm (If this does not get merged, try to repush. It loooks like the CI is not reporting the almalinux job status correctly)

I've resynced the job, all good now 👍

@k8s-ci-robot k8s-ci-robot merged commit 13e1f33 into kubernetes-sigs:master Jan 22, 2024
64 of 65 checks passed
@mzaian mzaian mentioned this pull request Apr 26, 2024
Closed
pedro-peter pushed a commit to pedro-peter/kubespray that referenced this pull request May 8, 2024
@yckaolalala @pedromcpedro
Correct the POLY1305 cipher suites by adding the suffix _SHA256 (kube…
8d3657b 
…rnetes-sigs#10641)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yankay yankay yankay left review comments

@cristicalin cristicalin Awaiting requested review from cristicalin

Assignees

@VannTen VannTen

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@yckaolalala @k8s-ci-robot @yankay @MrFreezeex @VannTen @floryut