IBM Support

Modifying Cipher Suites used by Kubernetes in IBM Cloud Private

How To


Summary

Users may want to specify exactly which TLS versions and cipher suites are enabled for use inside their cluster. Kubernetes version 1.10 and above (corresponding to IBM Cloud Private versions 2.1.0.3 and above) makes it possible to configure these details after installation. These changes will affect communication on ports 8001 and 10250.

Steps

Adjusting the configuration of the apiserver (port 8001)

  1. SSH to a master node in the cluster.
  2. Make a copy of the /etc/cfc/pods/master.json file so that you may edit it safely. For example,
    cp /etc/cfc/pods/master.json /tmp/master.json.copy
  3. Identify the section with the apiserver command. It should resemble this:
    "command": [
        "/hyperkube",
        "apiserver",
  4. To modify the allowed cipher suite(s), insert this line after the "apiserver" line (including the comma at the end):
        "--tls-cipher-suites=<insert comma-separated list>",
  5. Overwrite the placeholder tag with a comma-separated list of the ciphers you want enabled. The full list of allowed ciphers is at  https://golang.org/pkg/crypto/tls/#pkg-constants , but here is an example configuration:
        "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA",
  6. To modify the allowed TLS version(s), insert this line (including the comma at the end):
        "--tls-min-version=<insert value>",
  7. Overwrite the placeholder tag with one of these possible versions:
    VersionSSL30,VersionTLS10,VersionTLS11,VersionTLS12
  8. Ensure that the list has no whitespace in it, and that the modified file is still in a valid JSON format.
  9. Make a backup of the master.json file. For example,
    cp /etc/cfc/pods/master.json /tmp/master.json.backup
  10. Overwrite the file to make the change. For example,
    mv /tmp/master.json.copy /etc/cfc/pods/master.json
  11. (HA clusters only) Repeat the steps above for each master node.
  12. The k8s-master pods should have restarted and accepted the change. This command can be used to confirm the status of those pods:
    kubectl -n kube-system get pods | grep k8s-master

Adjusting the configuration of kubelet (port 10250)

Note: changing this setting requires restarting the kubelet service on each node. Take care when applying this on clusters with production loads.
  1. SSH to a master node in the cluster.
  2. Make a copy of the /etc/systemd/system/kubelet.service file so that you may edit it safely. For example,
    cp /etc/systemd/system/kubelet.service /tmp/kubelet.service.copy
  3. To modify the allowed cipher suite(s), insert this line in the "ExecStart" section, on its own line (including the backslash at the end):
        --tls-cipher-suites=<insert comma-separated list> \
  4. Overwrite the placeholder tag with the same list you used in the apiserver configuration.
  5. To modify the allowed TLS version(s), insert this line (including the backslash at the end):
        --tls-min-version=<insert value> \
  6. Overwrite the placeholder tag with the same value you used in the apiserver configuration.
  7. Ensure that the file is correctly formatted.
  8. Make a backup of the kubelet.service file. For example,
    cp /etc/systemd/system/kubelet.service /tmp/kubelet.service.backup
  9. Overwrite the file to make the change. For example,
    mv /tmp/kubelet.service.copy /etc/systemd/system/kubelet.service
  10. Restart the kubelet service on the node. You may need to run systemctl daemon-reload while kubelet is stopped in order for the changes to take effect. For more details on restarting kubelet, see this page:  https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_cluster/restart_cluster.html
  11. You can confirm the setting has been properly applied by checking the output of ps -ef | grep 'hyperkube kubelet'; the command flags you set should be visible.
  12. Repeat the steps above for every node in the cluster (not just the master nodes).

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 February 2019

UID

ibm10843102