How To
Summary
Users may want to specify exactly which TLS versions and cipher suites are enabled for use inside their cluster. Kubernetes version 1.10 and above (corresponding to IBM Cloud Private versions 2.1.0.3 and above) makes it possible to configure these details after installation. These changes will affect communication on ports 8001 and 10250.
Steps
Adjusting the configuration of the apiserver (port 8001)
- SSH to a master node in the cluster.
- Make a copy of the
/etc/cfc/pods/master.json
file so that you may edit it safely. For example,
cp /etc/cfc/pods/master.json /tmp/master.json.copy
- Identify the section with the apiserver command. It should resemble this:
"command": [
"/hyperkube",
"apiserver",
- To modify the allowed cipher suite(s), insert this line after the
"apiserver"
line (including the comma at the end):
"--tls-cipher-suites=<insert comma-separated list>",
- Overwrite the placeholder tag with a comma-separated list of the ciphers you want enabled. The full list of allowed ciphers is at
https://golang.org/pkg/crypto/tls/#pkg-constants
, but here is an example configuration:
"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA",
- To modify the allowed TLS version(s), insert this line (including the comma at the end):
"--tls-min-version=<insert value>",
- Overwrite the placeholder tag with one of these possible versions:
VersionSSL30,VersionTLS10,VersionTLS11,VersionTLS12
- Ensure that the list has no whitespace in it, and that the modified file is still in a valid JSON format.
- Make a backup of the
master.json
file. For example,
cp /etc/cfc/pods/master.json /tmp/master.json.backup
- Overwrite the file to make the change. For example,
mv /tmp/master.json.copy /etc/cfc/pods/master.json
- (HA clusters only) Repeat the steps above for each master node.
- The k8s-master pods should have restarted and accepted the change. This command can be used to confirm the status of those pods:
kubectl -n kube-system get pods | grep k8s-master
Adjusting the configuration of kubelet (port 10250)
Note: changing this setting requires restarting the kubelet service on each node. Take care when applying this on clusters with production loads.
- SSH to a master node in the cluster.
- Make a copy of the
/etc/systemd/system/kubelet.service
file so that you may edit it safely. For example,
cp /etc/systemd/system/kubelet.service /tmp/kubelet.service.copy
- To modify the allowed cipher suite(s), insert this line in the "ExecStart" section, on its own line (including the backslash at the end):
--tls-cipher-suites=<insert comma-separated list> \
- Overwrite the placeholder tag with the same list you used in the apiserver configuration.
- To modify the allowed TLS version(s), insert this line (including the backslash at the end):
--tls-min-version=<insert value> \
- Overwrite the placeholder tag with the same value you used in the apiserver configuration.
- Ensure that the file is correctly formatted.
- Make a backup of the
kubelet.service
file. For example,
cp /etc/systemd/system/kubelet.service /tmp/kubelet.service.backup
- Overwrite the file to make the change. For example,
mv /tmp/kubelet.service.copy /etc/systemd/system/kubelet.service
- Restart the kubelet service on the node. You may need to run
systemctl daemon-reload
while kubelet is stopped in order for the changes to take effect. For more details on restarting kubelet, see this page: https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/manage_cluster/restart_cluster.html - You can confirm the setting has been properly applied by checking the output of
ps -ef | grep 'hyperkube kubelet'
; the command flags you set should be visible. - Repeat the steps above for every node in the cluster (not just the master nodes).
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
04 February 2019
UID
ibm10843102