Compute Services

IBM Cloud Kubernetes Service ALB Update: TLS 1.0 and 1.1 Disabled By Default

Share this post:

TLS 1.0 and 1.1 disabled by default in IBM Cloud Kubernetes Service ALB upgrade

In keeping with our goal to provide you with a robust, trusted platform for your applications, and to comply with the PCI Security Standards Council mandate, the Ingress controller will have TLS 1.0 and 1.1 disabled by default in the upcoming version upgrade of the IBM Cloud Kubernetes Service ALB.

Although TLS 1.2 is supported by the Ingress controller and used by connecting clients by default, it still has TLS 1.0 and 1.1 enabled to allow older devices to connect that do not support TLS 1.2 yet. In the past two years, the industry has moved on from TLS 1.0 and 1.1 and the number of devices out there requiring it has decreased dramatically.

What is TLS?

TLS stands for Transport Layer Security. It is a protocol that provides privacy and data integrity between two communicating applications. It is the most widely deployed security protocol and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.

When will this happen?

The update will be rolled out automatically to all customers who have not opted out from auto-update on January 14, 2019.

If you wish to update at your schedule, you can opt-out from auto-updates.

What do I have to do?

If the clients connecting to your application exposed via the Ingress do support TLS 1.2, you do not have to do anything, the clients won’t be affected.

If you still have legacy clients that require TLS 1.0 or 1.1 support, you will have to manually enable them by listing the required version(s) in the ssl-protocols line of the ibm-cloud-provider-ingress-cm configmap. For further details, please see the official documentation section Configuring SSL protocols and SSL ciphers at the HTTP level.

How can I investigate?

You can verify that your client browser supports TLS 1.2 using the SSL Test tool from SSL Labs. You can also check the User Agent Capabilities list.

Additionally, you can enable in the ALB logs to see what TLS version and ciphers your users are connecting with by going through the following steps:

  1. Edit your ALB configmap:
    $ kubectl edit cm ibm-cloud-provider-ingress-cm -n kube-system
  2. Add the following two lines into the data: section. (Make sure the indentation is correct.)
      log-format-escape-json: escape=json
      log-format: '{"time_date": "$time_iso8601", "client": "$remote_addr", "host": "$http_host",
        "scheme": "$scheme", "request_method": "$request_method", "request_uri": "$uri",
        "request_id": "$request_id", "status": $status, "upstream_addr": "$upstream_addr",
        "upstream_status": $upstream_status, "request_time": $request_time, "upstream_response_time":
        $upstream_response_time, "upstream_connect_time": $upstream_connect_time, "upstream_header_time":
        $upstream_header_time, "ssl_cipher": "$ssl_cipher", "ssl_protocol": "$ssl_protocol"}'
  3. Save the configmap, and you are done.
  4. Optional: Verify with the following command:
    $ kubectl get cm ibm-cloud-provider-ingress-cm -n kube-system -o yaml

The ALB will get reconfigured to add the TLS version and cipher to the logs.

Just as a reference, the configmap should look approximately like this before saving:

Contact us

If you have questions, engage our team via Slack by registering here and join the discussion in the #general channel on our public IBM Cloud Kubernetes Service Slack.

Chief Architect, Networking – IBM Cloud Kubernetes Service

More Compute Services stories
December 11, 2018

Unifying Containers, Apps, and Functions

Innovative solutions like Knative and Istio are leading us to a unified container application platform that lets developers leverage the best of containers, apps, and functions in a single integrated way.

Continue reading

December 11, 2018

Using Availability Zones to Enhance Event Streams Resilience

With the Enterprise plan of IBM Event Streams, you can deploy Kafka across availability zones to maximize both its resilience to failures and the durability of your message data. Applications can use Kafka to achieve the right balance of availability and durability to meet your business needs.

Continue reading

December 10, 2018

The Run Up to KubeCon: Easing the Burden of Security and Infrastructure Management

In the run up to KubeCon, IBM Cloud announced new capabilities to ease Kubernetes operations and improve security across multiple cloud architectures.

Continue reading