TABLE OF CONTENTS

Ciphers used by Kubernetes components and etcd

The set of TLS ciphers used by Kubernetes components may be adjusted via Kublr cluster specification as follows (note the different parameters used for kubelet for pre- and post-1.18 Kublr:


spec:
  kublrAgentConfig:
    kublr:
      kubelet_flag: # use with Kublr before 1.18
        tls_cipher_suites: '--tls-cipher-suites=...'
      kubelet_config:  # use with Kublr 1.18 and later
        tlsCipherSuites: '...'
      kube_api_server_flag:
        tls_cipher_suites: '--tls-cipher-suites=...'
      kube_controller_manager_flag:
        tls_cipher_suites: '--tls-cipher-suites=...'
      etcd_flag:
        cipher_suites: '--cipher-suites=...'


The list of ciphers is a comma-separated list of names found at https://golang.org/pkg/crypto/tls/#pkg-constants

                                                                                                     

The following cipher lists were tested and found to be compatible with Kublr control plane:

1. all ciphers supported by RHEL minus two ciphers using DES


TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384

2. ciphers supported by RHEL that are not included in HTTP/2 blacklist (https://http2.github.io/http2-spec/#BadCipherSuites)


TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256


Ciphers used by Ngninx ingress controller

The following Kublr cluster specification snippet shows how the set of ciphers used by the default Kublr Nginx ingress controller can be adjusted:


spec:
  features:
    ingress:
      values:
        nginx-ingress:
          controller:
            config:
              ssl-ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384


Note, that unlike with etcd and Kubernetes components, the cipher list is colon-separated, rather than comma-separated.