Specifying TLS ciphers for etcd and Kubernetes
The default cipher suites that are picked up by etcd and kubelet have weak ciphers ECDHE-RSA-DES-CBC3-SHA, which can have security vulnerability issues. To prevent issues, you can configure etcd and kubelet to specify cipher suites
that have strong protection to the IBM® Cloud Private cluster.
Note: HTTP2 enablement can complicate the ordering of cipher suites. You should select your own ciphers and specify the order.
To specify TLS ciphers for etcd and Kubernetes after IBM Cloud Private installation, see Specifying TLS ciphers for etcd and Kubernetes after IBM Cloud Private installation.
etcd
You can specify the supported TLS ciphers to use in communication between the master and etcd servers.
-
In
config.yaml, add the following option:etcd_extra_args: ["--cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]For more information, see the etcd community documentation
. -
Once the IBM® Cloud Private cluster is running, you can verify that the cipher suites are applied. For example:
# openssl s_client -connect 9.111.254.123:4001 CONNECTED(00000003) depth=0 CN = demo.icp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = demo.icp verify error:num=21:unable to verify the first certificate verify return:1 140175725818304:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1399:SSL alert number 42 --- Certificate chain 0 s:/CN=demo.icp i:/CN=demo.icp --- Server certificate -----BEGIN CERTIFICATE----- MIIDbDCCAlSgAwIBAgIQFNCXgjR0zeZdoWqxKe7jHTANBgkqhkiG9w0BAQsFADAT MREwDwYDVQQDDAhkZW1vLmljcDAgFw0xODA5MjcxMTQ2NDlaGA8yMTE4MDkwMzEx NDY0OVowEzERMA8GA1UEAwwIZGVtby5pY3AwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDmr1sxcPBHCOfIzcMZpQQGP2pHQ1R3s7mUgBNdjkPkyLhavkhE Zh6Wxg++7DMdf7hK/5aNjYUESK1JOasEGpYH3jlZ5fN9Ty3zj1n3EnBuN6y5RUKC UnWlWbBATaJ5FKxNzVLPdTLdk73+iQw3QERT5jIzIMz+00fuJCixGdSPHPu5BT85 8+zcr48foENWPGn0Bjj4K6toKZCjof0JMSYHxHoxXFeTsj1uxlMkpZxzxYwXaevF 4FrauwnpYQd50k7B7V+TvRJcGSmuB4oM5M+lVWG8fr1881c+zwy8ni3lzZZuuZjS 6g2CCVx94Z2LgUYrZgjPd8NgYjTPN7rluqRBAgMBAAGjgbkwgbYwCQYDVR0TBAIw ADAdBgNVHQ4EFgQUAfQBsQCV103gEQMEhEc8utamfFowQwYDVR0jBDwwOoAU2oeq ruGU/ClldMAtX2FGI5rhomehF6QVMBMxETAPBgNVBAMMCGRlbW8uaWNwggkA0jui s4EcWZEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAsGA1UdDwQEAwIF oDAZBgNVHREEEjAQgghkZW1vLmljcIcECW/+ezANBgkqhkiG9w0BAQsFAAOCAQEA ltu1BfqxaaeYAQ/hwoJgWzRzAgfnfpynEYDfqE+DUne5uBRySMj3E2CJOZ3wPLOY KQQ/JKUSiNCtHvYkbGSys6YLjHb0VOTF0uCoo5nC4J4jAKQmOGZsoXS1XlqnC/HH o1nR4B493HKcJN/QkMWr7zy+2kSno2RSftNL6q/6zuMjN4DPm6+8fUJ/Vz89T/AL heQjVXZr3uZseFv6IkXVQWH7bhMYCcUoyk582N6h5UybbMCZwILJqdjLmzzH/99m JHRaoc0KFM5QR1gzfgnnIBes5AxxQfenkai7HA7rmJObDlbJq4TdNiQXXjpV0HVm Ay3Q5PFHNwepgtMNkB8FKg== -----END CERTIFICATE----- subject=/CN=demo.icp issuer=/CN=demo.icp --- Acceptable client certificate CA names /CN=demo.icp Client Certificate Types: RSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA384 Server Temp Key: X25519, 253 bits --- SSL handshake has read 1325 bytes and written 281 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: Session-ID-ctx: Master-Key: 0465F6532FBF62DBD971C9307EB86C9FAFCCD665A2E11C7B674AC78D7515B2DD6F7EE6F8C2D637AA7AD770C434A74C94 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1539238527 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no ---Note: You must replace IP
9.111.254.123with your own master (etcd) host IP.
kubelet
You can specify the supported TLS ciphers to use in communication between the kubelet and applications, for example, Prometheus.
-
In
config.yaml, add the following option:kubelet_extra_args: ["--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]Possible values are:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
-
Once the IBM® Cloud Private cluster is running, you can verify that the cipher suites are applied.
# openssl s_client -connect 9.111.255.33:10250 CONNECTED(00000003) depth=1 CN = 9.111.255.33-ca@1538050035 verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/CN=9.111.255.33@1538050035 i:/CN=9.111.255.33-ca@1538050035 1 s:/CN=9.111.255.33-ca@1538050035 i:/CN=9.111.255.33-ca@1538050035 --- Server certificate -----BEGIN CERTIFICATE----- MIIDCDCCAfCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBo5LjEx MS4yNTUuMzMtY2FAMTUzODA1MDAzNTAeFw0xODA5MjcxMjA3MTVaFw0xOTA5Mjcx MjA3MTVaMCIxIDAeBgNVBAMMFzkuMTExLjI1NS4zM0AxNTM4MDUwMDM1MIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvhpTqz26o/iAmQ2vvn/VbsqjJpno P5DSOPaf4mCK0iClLj0hFPWplcPO4Hmtuigfnc36ChTHQKKycdeUlLL6Fkth7F5K dyYehMFA7jqUEppmf5DVit2EHusshg7mzGy0irUFGIpaV8loyKo9PE+pOpLaeLm0 j/Jq5qFVvT7lRoEP6/fmWuu2uUVsRMaluY8iVq2DMMsk4LvGH6a2qyzf0t2+TeYw sCpz2z5s7b0L+66/dJibqlpJvO0SgjdLItjUPZSM9XQ2AzPInpZVKKjkrWH1fQNy rlqzaJKm8dss2ZgGQ5dd8Nh0JWvMf0pV183S5o2fROzbfaBgTrQMRAhfEQIDAQAB o0YwRDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T AQH/BAIwADAPBgNVHREECDAGhwQJb/8hMA0GCSqGSIb3DQEBCwUAA4IBAQBP+F4T AGOetM9sFPwLga9HWAtG7ukgtNu4RNoc7WnBGrAOUkanTBVxNqnf382NeXoWVFay WDYUsMVvMkfV5caGWtv0bxv0/zrDEu3S+l65pD7Tmofi7r0sjlCJ3q6PLPhmRNVm 4W7F+6lnVxLvgDQoMFNkRVFSSmM9WBBBvdsAk4YQ9ODG1fykObTBLHm45aADn/4Z pdtQiqG1BSZKVN23jgqv4vmFfbpSCeLLZL5wqQn1gWJCnCMqk8XQFzRgn1Ye4jwP eIgDDETuAhSoJFOlWmDoHWdWXMbsMYCNWxaSJA8oZjvqgzSJ+STgZEoIJrTQ+BOz Ydindji7Vz6vovfV -----END CERTIFICATE----- subject=/CN=9.111.255.33@1538050035 issuer=/CN=9.111.255.33-ca@1538050035 --- Acceptable client certificate CA names /C=US/ST=New York/L=Armonk/O=IBM Cloud Private/CN=www.ibm.com Client Certificate Types: RSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2239 bytes and written 281 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 43CE40B2F90AD58A04FBD25850D9C8B9444324ACB2E6FCE8AF5C5B51CB556069 Session-ID-ctx: Master-Key: 6AE72C0F8E9CF2DAB8D07FE6885AE76E97FE0C2462E1B4FFD42A86825913D53A6518304CC37F61667365BEE543FEA869 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 7c 40 1d 7d b5 e9 67 a4-50 44 06 b3 f2 70 14 a2 |@.}..g.PD...p.. 0010 - f2 43 ab 8e 1b 06 f4 b0-d8 99 71 c1 50 f2 88 c8 .C........q.P... 0020 - 16 e5 4a 56 71 ca 65 c4-59 d8 51 ce 43 90 e7 84 ..JVq.e.Y.Q.C... 0030 - 81 1f d0 dc 99 cd bd fd-8a b8 b3 7e 73 db 42 53 ...........~s.BS 0040 - 3d f3 a8 68 45 0a 83 fb-a6 64 26 70 28 d4 3f 4d =..hE....d&p(.?M 0050 - b8 73 45 e9 0a 5d 6d db-09 e4 fd 8b 04 97 6e 53 .sE..]m.......nS 0060 - 17 e4 f9 eb ea 12 05 4e-1d 6c cd 20 b5 ee ed 54 .......N.l. ...T 0070 - ac a0 d6 32 2d ab 42 12- ...2-.B. Start Time: 1539240039 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no ---Note: You must replace IP
9.111.255.33with your own worker host IP.