Compute Services

IBM Cloud Kubernetes Service ALB Update: TLS 1.0 and 1.1 Disabled By Default

Share this post:

TLS 1.0 and 1.1 disabled by default in IBM Cloud Kubernetes Service ALB upgrade

In keeping with our goal to provide you with a robust, trusted platform for your applications, and to comply with the PCI Security Standards Council mandate, the Ingress controller will have TLS 1.0 and 1.1 disabled by default in the upcoming version upgrade of the IBM Cloud Kubernetes Service ALB.

Although TLS 1.2 is supported by the Ingress controller and used by connecting clients by default, it still has TLS 1.0 and 1.1 enabled to allow older devices to connect that do not support TLS 1.2 yet. In the past two years, the industry has moved on from TLS 1.0 and 1.1 and the number of devices out there requiring it has decreased dramatically.

What is TLS?

TLS stands for Transport Layer Security. It is a protocol that provides privacy and data integrity between two communicating applications. It is the most widely deployed security protocol and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.

When will this happen?

The update will be rolled out automatically to all customers who have not opted out from auto-update on January 22, 2019.

If you wish to update at your schedule, you can opt-out from auto-updates.

What do I have to do?

If the clients connecting to your application exposed via the Ingress do support TLS 1.2, you do not have to do anything, the clients won’t be affected.

If you still have legacy clients that require TLS 1.0 or 1.1 support, you will have to manually enable them by listing the required version(s) in the ssl-protocols line of the ibm-cloud-provider-ingress-cm configmap. For further details, please see the official documentation section Configuring SSL protocols and SSL ciphers at the HTTP level.

How can I investigate?

You can verify that your client browser supports TLS 1.2 using the SSL Test tool from SSL Labs. You can also check the User Agent Capabilities list.

Additionally, you can enable in the ALB logs to see what TLS version and ciphers your users are connecting with by going through the following steps:

  1. Edit your ALB configmap:
    $ kubectl edit cm ibm-cloud-provider-ingress-cm -n kube-system
  2. Add the following two lines into the data: section. (Make sure the indentation is correct.)

      log-format: '{"time_date": "$time_iso8601", "client": "$remote_addr", "host": "$http_host",
        "scheme": "$scheme", "request_method": "$request_method", "request_uri": "$uri",
        "request_id": "$request_id", "status": $status, "upstream_addr": "$upstream_addr",
        "upstream_status": $upstream_status, "request_time": $request_time, "upstream_response_time":
        $upstream_response_time, "upstream_connect_time": $upstream_connect_time, "upstream_header_time":
        $upstream_header_time, "ssl_cipher": "$ssl_cipher", "ssl_protocol": "$ssl_protocol"}'
  3. Save the configmap, and you are done.
  4. Optional: Verify with the following command:
    $ kubectl get cm ibm-cloud-provider-ingress-cm -n kube-system -o yaml

The ALB will get reconfigured to add the TLS version and cipher to the logs.

Just as a reference, the configmap should look approximately like this before saving:

Contact us

If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.

Chief Architect, Networking – IBM Cloud Kubernetes Service

More Compute Services stories
February 12, 2019

A “Kubernetes Everywhere” Approach: Build and Deploy Enterprise-Scale Modern Applications for Hybrid Cloud

We are excited to introduce two optional cloud-managed services and capabilities designed to enable clients to quickly build and deploy enterprise-scale container-based applications across hybrid environments: Managed Istio and Managed Knative for IBM Cloud Kubernetes Service.

Continue reading

February 7, 2019

Istio Multicluster Support

The current multicluster Istio status There is a growing community interest in running workloads on multiple clusters to achieve better scaling, failure isolation, and application agility. Istio v1.0 supports some multicluster capabilities and new ones are added in v1.1. This blog post highlights the current multicluster Istio status, helping interested people understand what capabilities exist […]

Continue reading

February 7, 2019

Whirlpool and Cloud-Native Wizards at Think 2019

The ideal app developer would be a wizard. Through telepathy, knowing what a user needs from an app in the moment, he automatically provides an update in real-time.

Continue reading