Specifying TLS ciphers for etcd and Kubernetes
The default cipher suites that are picked up by etcd, kube-apiserver, and kubelet have weak ciphers ECDHE-RSA-DES-CBC3-SHA, which can have security vulnerability issues. To prevent issues, you can configure etcd, kube-apiserver and
kubelet to specify cipher suites that have strong protection to the IBM® Cloud Private cluster.
Note: HTTP2 enablement can complicate the ordering of cipher suites. You should select your own ciphers and specify the order.
etcd
You can specify the supported TLS ciphers to use in communication between the master and etcd servers.
-
In
config.yaml, add the following option:etcd_extra_args: ["--cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]For more information, see the etcd community documentation
. -
Once the IBM® Cloud Private cluster is running, you can verify that the cipher suites are applied. For example:
# openssl s_client -connect 9.111.254.123:4001 CONNECTED(00000003) depth=0 CN = demo.icp verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = demo.icp verify error:num=21:unable to verify the first certificate verify return:1 140175725818304:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:../ssl/record/rec_layer_s3.c:1399:SSL alert number 42 --- Certificate chain 0 s:/CN=demo.icp i:/CN=demo.icp --- Server certificate -----BEGIN CERTIFICATE----- MIIDbDCCAlSgAwIBAgIQFNCXgjR0zeZdoWqxKe7jHTANBgkqhkiG9w0BAQsFADAT MREwDwYDVQQDDAhkZW1vLmljcDAgFw0xODA5MjcxMTQ2NDlaGA8yMTE4MDkwMzEx NDY0OVowEzERMA8GA1UEAwwIZGVtby5pY3AwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDmr1sxcPBHCOfIzcMZpQQGP2pHQ1R3s7mUgBNdjkPkyLhavkhE Zh6Wxg++7DMdf7hK/5aNjYUESK1JOasEGpYH3jlZ5fN9Ty3zj1n3EnBuN6y5RUKC UnWlWbBATaJ5FKxNzVLPdTLdk73+iQw3QERT5jIzIMz+00fuJCixGdSPHPu5BT85 8+zcr48foENWPGn0Bjj4K6toKZCjof0JMSYHxHoxXFeTsj1uxlMkpZxzxYwXaevF 4FrauwnpYQd50k7B7V+TvRJcGSmuB4oM5M+lVWG8fr1881c+zwy8ni3lzZZuuZjS 6g2CCVx94Z2LgUYrZgjPd8NgYjTPN7rluqRBAgMBAAGjgbkwgbYwCQYDVR0TBAIw ADAdBgNVHQ4EFgQUAfQBsQCV103gEQMEhEc8utamfFowQwYDVR0jBDwwOoAU2oeq ruGU/ClldMAtX2FGI5rhomehF6QVMBMxETAPBgNVBAMMCGRlbW8uaWNwggkA0jui s4EcWZEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAsGA1UdDwQEAwIF oDAZBgNVHREEEjAQgghkZW1vLmljcIcECW/+ezANBgkqhkiG9w0BAQsFAAOCAQEA ltu1BfqxaaeYAQ/hwoJgWzRzAgfnfpynEYDfqE+DUne5uBRySMj3E2CJOZ3wPLOY KQQ/JKUSiNCtHvYkbGSys6YLjHb0VOTF0uCoo5nC4J4jAKQmOGZsoXS1XlqnC/HH o1nR4B493HKcJN/QkMWr7zy+2kSno2RSftNL6q/6zuMjN4DPm6+8fUJ/Vz89T/AL heQjVXZr3uZseFv6IkXVQWH7bhMYCcUoyk582N6h5UybbMCZwILJqdjLmzzH/99m JHRaoc0KFM5QR1gzfgnnIBes5AxxQfenkai7HA7rmJObDlbJq4TdNiQXXjpV0HVm Ay3Q5PFHNwepgtMNkB8FKg== -----END CERTIFICATE----- subject=/CN=demo.icp issuer=/CN=demo.icp --- Acceptable client certificate CA names /CN=demo.icp Client Certificate Types: RSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA384 Server Temp Key: X25519, 253 bits --- SSL handshake has read 1325 bytes and written 281 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: Session-ID-ctx: Master-Key: 0465F6532FBF62DBD971C9307EB86C9FAFCCD665A2E11C7B674AC78D7515B2DD6F7EE6F8C2D637AA7AD770C434A74C94 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1539238527 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no ---Note: You must replace IP
9.111.254.123with your own master (etcd) host IP.
kube-apiserver
You can specify the supported TLS ciphers to use in communication between the kube-apiserver and applications.
-
In
config.yaml, add the following option:kube_apiserver_extra_args: ["--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]Possible cipher suites are:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
-
TLS_RSA_WITH_RC4_128_SHA
For more information, see the Kubernetes documentation
.
-
Once the IBM® Cloud Private cluster is running, you can verify that the cipher suites are applied.
# openssl s_client -connect 9.111.254.123:8001 CONNECTED(00000003) depth=0 CN = kubernetes-master verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = kubernetes-master verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=kubernetes-master i:/C=US/ST=New York/L=Armonk/O=IBM Cloud Private/CN=www.ibm.com --- Server certificate -----BEGIN CERTIFICATE----- MIIFjTCCA3WgAwIBAgIQZFPqfeJs0BCqmwejqkO96zANBgkqhkiG9w0BAQsFADBj MQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxDzANBgNVBAcMBkFybW9u azEaMBgGA1UECgwRSUJNIENsb3VkIFByaXZhdGUxFDASBgNVBAMMC3d3dy5pYm0u Y29tMCAXDTE4MDkyNzExNDY1NloYDzIxMTgwOTAzMTE0NjU2WjAcMRowGAYDVQQD DBFrdWJlcm5ldGVzLW1hc3RlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBANhVrVCp3zb+3xGm+FTqXoTg7zPTZTsMkUOE0YV9iZF+AZhNYGUAgmkTqroL gsob/S60t+oBZfLrTrRq1/q3GPt6/2fS72dhfrcj/0ALNE9bVQJBf3c/A57qx+Io X/BACgnZOEqi2mn6+x1OUibdTyysFyrKoxAzDiO+kP1A4YcPGmPazGkHpEToJy1H tGoFzFw5u7+Q7FTrcmfid0hkyNX1AsGDyHMIr5SzG3zb60Hzp+flqKs4vj0qbrv3 +aJOfd2RTGWRiXHghXRzpkWPI3dTqjvDrD0eGnAZCZZUZnuC5KFkRCtql4LVM6pP azt7ePb7exxlOBik0oLewYsjquUCAwEAAaOCAYAwggF8MAkGA1UdEwQCMAAwHQYD VR0OBBYEFOEOpZ4QWiaSf2ZWfNBf9x5rJpXMMIGVBgNVHSMEgY0wgYqAFN1iQB0O 5t1rS5c0zJPEbOQTrgntoWekZTBjMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3 IFlvcmsxDzANBgNVBAcMBkFybW9uazEaMBgGA1UECgwRSUJNIENsb3VkIFByaXZh dGUxFDASBgNVBAMMC3d3dy5pYm0uY29tggkAwvWGvsSQvmowHQYDVR0lBBYwFAYI KwYBBQUHAwEGCCsGAQUFBwMCMAsGA1UdDwQEAwIFoDCBiwYDVR0RBIGDMIGAhwR/ AAABhwR/AAABhwQKAAABhwQJb/57ggprdWJlcm5ldGVzghJrdWJlcm5ldGVzLmRl ZmF1bHSCFmt1YmVybmV0ZXMuZGVmYXVsdC5zdmOCJGt1YmVybmV0ZXMuZGVmYXVs dC5zdmMuY2x1c3Rlci5sb2NhbIIIZGVtby5pY3AwDQYJKoZIhvcNAQELBQADggIB AIN0Pv3Fj0d5ECLLLGcCd0l8KTcI7wtPX9JIm5ekhxXQp/rX0EOaIo4KLoZWujjA 3jUq+qnNR7WfW5nPump8mfFkfwDgg00NXvejQM6C+ozugxjYMXOsg8iB2pLzdLoV NJgzUjDbRYbriypzIQqhxcmfmM8sHyg7RDdCEZHBbrUvOuWwyViaBsfCuEWRd0ML oWjIBAII4N+QosKraZCWkSVhuPIxIlWYQZRhYhahnbDfStnNnt+Du3NgBvcbvzs6 v6AUmfyRzXPtaOUEUq+r6pdCpjyOpEiKUe2Qbudym+TP0XKR0jEYwRFeekMJEYBu KdGwkwHlxhSBgluCmNKqCHJkwdn/X+Txkhkeyhga2gFjtn4xglVe90WbFk2dzXOt tOmDRClPr1hgjAsiAkv0aRyZqvmtarXfPAIQXD74S8a3aTBcxxXSLW2SHKkMqFaF GbmI7LX761GCculY2mP32hCKjKDLXzWiOqxLUc2+2pie4Sj0gui++nn1oMUTdwt4 eet2iMqQ89hEIhL6pbLoXnJP9asr/LU8lv/AT9ci++HNh6zr8AiGM377dFZ9NgwJ s4TdM0MyR4Qv45hGkQ1UNbJck//CD4FFJELoL2vYFAL2DZXA6u8g/lJVlWjro6Qz TtSr1bZrPgTK6AnO4qsVx5H3ctEOoBRTaYU5EcCxkB3n -----END CERTIFICATE----- subject=/CN=kubernetes-master issuer=/C=US/ST=New York/L=Armonk/O=IBM Cloud Private/CN=www.ibm.com --- Acceptable client certificate CA names /C=US/ST=New York/L=Armonk/O=IBM Cloud Private/CN=www.ibm.com /CN=demo.icp Client Certificate Types: RSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2156 bytes and written 281 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 0BC723C503CE047AECD13FEBC2AEA3A6C4B2B62F82BDF30B78A3E1EE099179CB Session-ID-ctx: Master-Key: 3844BC9E421A35462C71303631157D1C7D37EEBC419099ECA2924615953B6EFCEA79B8A87C4CE7B37ECF1C0B8BE93586 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 18 a2 6b 84 e3 6b 9c 8b-d9 d9 01 d7 68 ee 22 ad ..k..k......h.". 0010 - da 3d 12 03 26 82 fc 30-ca 8b 56 6e 8b 47 ff c7 .=..&..0..Vn.G.. 0020 - 3b 01 b4 6a 8d b1 a9 a8-80 55 67 46 51 d3 2f b0 ;..j.....UgFQ./. 0030 - f6 7d ff 9d 3f 29 c7 9d-35 3a a3 7a 4e 5f b7 0e .}..?)..5:.zN_.. 0040 - 22 7e 05 35 e1 a4 46 4e-e7 ff 94 3b bd ca d0 7b "~.5..FN...;...{ 0050 - 47 c0 85 2f ea c5 44 f1-b0 81 bf 30 7d 93 df af G../..D....0}... 0060 - eb 61 89 33 dc 33 c6 1f-b2 e5 5b 3b bc c8 35 c2 .a.3.3....[;..5. 0070 - c6 2d a9 47 a6 a8 53 40- .-.G..S@ Start Time: 1539239373 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no ---Note: You must replace IP
9.111.254.123with your own master host IP.
kubelet
You can specify the supported TLS ciphers to use in communication between the kubelet and applications, for example, Heapster or Prometheus.
-
In
config.yaml, add the following option:kubelet_extra_args: ["--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"]Possible values are:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_RC4_128_SHA
-
Once the IBM® Cloud Private cluster is running, you can verify that the cipher suites are applied.
# openssl s_client -connect 9.111.255.33:10250 CONNECTED(00000003) depth=1 CN = 9.111.255.33-ca@1538050035 verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/CN=9.111.255.33@1538050035 i:/CN=9.111.255.33-ca@1538050035 1 s:/CN=9.111.255.33-ca@1538050035 i:/CN=9.111.255.33-ca@1538050035 --- Server certificate -----BEGIN CERTIFICATE----- MIIDCDCCAfCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBo5LjEx MS4yNTUuMzMtY2FAMTUzODA1MDAzNTAeFw0xODA5MjcxMjA3MTVaFw0xOTA5Mjcx MjA3MTVaMCIxIDAeBgNVBAMMFzkuMTExLjI1NS4zM0AxNTM4MDUwMDM1MIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvhpTqz26o/iAmQ2vvn/VbsqjJpno P5DSOPaf4mCK0iClLj0hFPWplcPO4Hmtuigfnc36ChTHQKKycdeUlLL6Fkth7F5K dyYehMFA7jqUEppmf5DVit2EHusshg7mzGy0irUFGIpaV8loyKo9PE+pOpLaeLm0 j/Jq5qFVvT7lRoEP6/fmWuu2uUVsRMaluY8iVq2DMMsk4LvGH6a2qyzf0t2+TeYw sCpz2z5s7b0L+66/dJibqlpJvO0SgjdLItjUPZSM9XQ2AzPInpZVKKjkrWH1fQNy rlqzaJKm8dss2ZgGQ5dd8Nh0JWvMf0pV183S5o2fROzbfaBgTrQMRAhfEQIDAQAB o0YwRDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T AQH/BAIwADAPBgNVHREECDAGhwQJb/8hMA0GCSqGSIb3DQEBCwUAA4IBAQBP+F4T AGOetM9sFPwLga9HWAtG7ukgtNu4RNoc7WnBGrAOUkanTBVxNqnf382NeXoWVFay WDYUsMVvMkfV5caGWtv0bxv0/zrDEu3S+l65pD7Tmofi7r0sjlCJ3q6PLPhmRNVm 4W7F+6lnVxLvgDQoMFNkRVFSSmM9WBBBvdsAk4YQ9ODG1fykObTBLHm45aADn/4Z pdtQiqG1BSZKVN23jgqv4vmFfbpSCeLLZL5wqQn1gWJCnCMqk8XQFzRgn1Ye4jwP eIgDDETuAhSoJFOlWmDoHWdWXMbsMYCNWxaSJA8oZjvqgzSJ+STgZEoIJrTQ+BOz Ydindji7Vz6vovfV -----END CERTIFICATE----- subject=/CN=9.111.255.33@1538050035 issuer=/CN=9.111.255.33-ca@1538050035 --- Acceptable client certificate CA names /C=US/ST=New York/L=Armonk/O=IBM Cloud Private/CN=www.ibm.com Client Certificate Types: RSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2239 bytes and written 281 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 43CE40B2F90AD58A04FBD25850D9C8B9444324ACB2E6FCE8AF5C5B51CB556069 Session-ID-ctx: Master-Key: 6AE72C0F8E9CF2DAB8D07FE6885AE76E97FE0C2462E1B4FFD42A86825913D53A6518304CC37F61667365BEE543FEA869 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 7c 40 1d 7d b5 e9 67 a4-50 44 06 b3 f2 70 14 a2 |@.}..g.PD...p.. 0010 - f2 43 ab 8e 1b 06 f4 b0-d8 99 71 c1 50 f2 88 c8 .C........q.P... 0020 - 16 e5 4a 56 71 ca 65 c4-59 d8 51 ce 43 90 e7 84 ..JVq.e.Y.Q.C... 0030 - 81 1f d0 dc 99 cd bd fd-8a b8 b3 7e 73 db 42 53 ...........~s.BS 0040 - 3d f3 a8 68 45 0a 83 fb-a6 64 26 70 28 d4 3f 4d =..hE....d&p(.?M 0050 - b8 73 45 e9 0a 5d 6d db-09 e4 fd 8b 04 97 6e 53 .sE..]m.......nS 0060 - 17 e4 f9 eb ea 12 05 4e-1d 6c cd 20 b5 ee ed 54 .......N.l. ...T 0070 - ac a0 d6 32 2d ab 42 12- ...2-.B. Start Time: 1539240039 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no ---Note: You must replace IP
9.111.255.33with your own worker host IP.