New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for custom tls cipher suites in api server and kubelet #48859

Merged
merged 1 commit into from Jan 18, 2018

Conversation

@victorgp
Contributor

victorgp commented Jul 13, 2017

What this PR does / why we need it:
This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
Several users have requested this given that some default ciphers are vulnerable.
There is a discussion in #41038 of how to implement this. The options are:

  • Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
  • Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.

I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).

Which issue this PR fixes
fixes #41038

Special notes for your reviewer:
The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the type CipherSuitesFlag to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
If you think there is another way to implement this, let me know.

If you want to test it out, this is a ciphers combination i tested without the weak ones:

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

If this is merged i will implement the same for the Kubelet.

Release note:

kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
@k8s-ci-robot

This comment has been minimized.

Contributor

k8s-ci-robot commented Jul 13, 2017

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@victorgp

This comment has been minimized.

Contributor

victorgp commented Jul 13, 2017

CLA signed

func NewCipherSuitesFlag() *CipherSuitesFlag {
return &CipherSuitesFlag{
"TLS_RSA_WITH_RC4_128_SHA": 0x0005,

This comment has been minimized.

@liggitt

liggitt Jul 13, 2017

Member

prefer tls constants here

This comment has been minimized.

@liggitt

liggitt Jul 13, 2017

Member

see https://github.com/liggitt/origin/blob/master/pkg/cmd/server/crypto/crypto.go#L72-L112 for an example, and https://github.com/liggitt/origin/blob/master/pkg/cmd/server/crypto/crypto_test.go#L16-L54 for a test to make sure the allowed values stays up to date with the ciphers supported by the TLS stack

// CipherSuites is the list of allowed cipher suites for the server.
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
CipherSuites string

This comment has been minimized.

@liggitt

liggitt Jul 13, 2017

Member

this should probably go in SecureServingOptions and be []string, tied to a string slice flag

@victorgp

This comment has been minimized.

Contributor

victorgp commented Jul 17, 2017

Parameter set to []string, new test added and using constants instead of numbers

// CipherSuites is the list of allowed cipher suites for the server.
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
CipherSuites []string

This comment has been minimized.

@liggitt

liggitt Jul 17, 2017

Member

still needs to be moved to SecureServingOptions

@@ -246,6 +255,16 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
}
}
if len(s.ServerCert.CipherSuites) != 0 {
csFlag := utilflag.NewCipherSuitesFlag()
cipherSuites, err := csFlag.StrToUInt16(s.ServerCert.CipherSuites)

This comment has been minimized.

@liggitt

liggitt Jul 17, 2017

Member

this can just be a util function, no need for a flag type now

@victorgp

This comment has been minimized.

Contributor

victorgp commented Jul 17, 2017

Sorry, i missed that part. Updated and type removed using just a function instead.

@ncdc

This comment has been minimized.

Member

ncdc commented Jul 17, 2017

/unassign

fs.StringSliceVar(&s.CipherSuites, "tls-cipher-suites", s.CipherSuites,
"Comma-separated list of cipher suites for the server. "+
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+
"If ommited, the default Go cipher suites will be used")

This comment has been minimized.

@liggitt

liggitt Jul 17, 2017

Member

omitted

// ciphers maps strings into tls package cipher constants in
// https://golang.org/pkg/crypto/tls/#pkg-constants
var ciphers = map[string]uint16{

This comment has been minimized.

@liggitt

liggitt Jul 17, 2017

Member

put these somewhere the apiserver and kubelet can both reference it...

This comment has been minimized.

@victorgp

victorgp Sep 29, 2017

Contributor

After adding support for the kubelet, i didn't need to move this. It is accesible from the kubelet code, indeed, it was already imported so i didn't need to import anything.

Let me know if you still prefer to put it in another location, and if so, what would be the best one?

@liggitt

This comment has been minimized.

Member

liggitt commented Jul 17, 2017

I'd like to see the option added to the kubelet at the same time... that'll help ensure the cipher util is put in a good package location

@victorgp

This comment has been minimized.

Contributor

victorgp commented Jul 21, 2017

Sure, i will implement the kubelet part too, i'll be out for 2 weeks though, so once i'm back.

@dims

This comment has been minimized.

Member

dims commented Aug 17, 2017

/ok-to-test

@k8s-ci-robot

This comment has been minimized.

Contributor

k8s-ci-robot commented Jan 17, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, dims, liggitt, mtaufen, victorgp

Associated issue: #41038

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@victorgp

This comment has been minimized.

Contributor

victorgp commented Jan 18, 2018

/retest

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Jan 18, 2018

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Jan 18, 2018

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-merge-robot k8s-merge-robot merged commit b7100f1 into kubernetes:master Jan 18, 2018

12 of 13 checks passed

Submit Queue Required Github CI test is not green: pull-kubernetes-verify
Details
cla/linuxfoundation victorgp authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke-gci Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-unit Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
@liggitt

This comment has been minimized.

Member

liggitt commented Jan 18, 2018

\o/

@duglin

This comment has been minimized.

Contributor

duglin commented Jan 18, 2018

thanks @liggitt !

@victorgp

This comment has been minimized.

Contributor

victorgp commented Jan 18, 2018

Yeeees! Merged ;)

Thanks all!

@@ -442,6 +442,10 @@ func AddKubeletConfigFlags(fs *pflag.FlagSet, c *kubeletconfig.KubeletConfigurat
"If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key "+
"are generated for the public address and saved to the directory passed to --cert-dir.")
fs.StringVar(&c.TLSPrivateKeyFile, "tls-private-key-file", c.TLSPrivateKeyFile, "File containing x509 private key matching --tls-cert-file.")
fs.StringSliceVar(&c.TLSCipherSuites, "tls-cipher-suites", c.TLSCipherSuites,
"Comma-separated list of cipher suites for the server. "+
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+

This comment has been minimized.

@lavalamp

lavalamp Jan 18, 2018

Member

List the values in this help message?

This comment has been minimized.

@liggitt

liggitt Jan 18, 2018

Member

yeah, that's a good idea

This comment has been minimized.

@victorgp

victorgp Jan 27, 2018

Contributor

@lavalamp @liggitt i've made this PR to address this issue: #58920

This comment has been minimized.

@liggitt

liggitt Jan 27, 2018

Member

Thanks for following up

@@ -134,6 +137,11 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
"Controllers. This must be a valid PEM-encoded CA bundle. Altneratively, the certificate authority "+
"can be appended to the certificate provided by --tls-cert-file.")
fs.StringSliceVar(&s.TLSCipherSuites, "tls-cipher-suites", s.TLSCipherSuites,
"Comma-separated list of cipher suites for the server. "+
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+

This comment has been minimized.

@lavalamp

lavalamp Jan 18, 2018

Member

Same comment

"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,

This comment has been minimized.

@lavalamp

lavalamp Jan 18, 2018

Member

If humans are supposed to type these things in, maybe omit the "TLS_" prefix, as it only adds verbosity?

This comment has been minimized.

@liggitt

liggitt Jan 18, 2018

Member
// Supported cipher
clientCiphers: []uint16{tls.TLS_RSA_WITH_AES_256_CBC_SHA},
expectedError: false,
},

This comment has been minimized.

@lavalamp

lavalamp Jan 18, 2018

Member

I would prefer to see two tests for each cipher, one verifying it works when present, one verifying it doesn't when not.

@victorgp

This comment has been minimized.

Contributor

victorgp commented Jan 18, 2018

Ok will take care of these two things in another PR (the values in the help message and the tests)

@gregory-lyons

This comment has been minimized.

gregory-lyons commented Jan 26, 2018

Any chance of this getting cherry-picked to earlier versions?

@liggitt

This comment has been minimized.

Member

liggitt commented Jan 27, 2018

Given that it is a new feature and the size of the change, that is unlikely

@victorgp

This comment has been minimized.

Contributor

victorgp commented Jan 27, 2018

@lavalamp regarding the tests changes, i've might find an issue in how Go handles the ciphers.

From the list of Go supported 22 cipher suites here https://golang.org/pkg/crypto/tls/#pkg-constants there are only 10 that actually work and 12 don't work. Let me explain.

If you create a simple http server with the default Go TLS configuration, and you list the supported ciphers with a tool like openssl or nmap, only 10 show up.
If you do a HTTP request with any of the 12 not listed, the TLS negotiation fails, no matter what ciphers you select for your server, it fails either you select all of the possible 22 ciphers, or you select just the one the client is using, or you select none, in all cases, the TLS negotiation fails.

You just need to run this simple server:

package main

import (
    "net/http"
)
func main() {
    http.HandleFunc("/", nil) // set router
    http.ListenAndServeTLS(":9090", "/tmp/cert/apiserver.crt", "/tmp/cert/apiserver.key", nil) // set listen port
}

And use nmap to list the available ciphers:

$ nmap --script ssl-enum-ciphers -p 9090 localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2018-01-27 14:06 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT     STATE SERVICE
9090/tcp open  zeus-admin
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds

The list of ciphers that down show up and never work are:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

So, if you try a request using openssl lile:
openssl s_client -cipher ECDH-RSA-RC4-SHA -connect localhost:9090

You get the TLS negotiation and the simple http server prints

2018/01/27 15:52:15 http: TLS handshake error from 127.0.0.1:39312: tls: no cipher suite supported by both client and server

This means i can't implement those tests testing all the ciphers, because those 12, just don't work.

And of course, they were not working before this PR was merged either.

To me this is a bug in Go, unless i'm missing something.
Does any of you have an idea of what could be happening? Otherwise i will file a bug in Go

@liggitt

This comment has been minimized.

Member

liggitt commented Jan 27, 2018

Does any of you have an idea of what could be happening?

Some ciphers are only available when using serving certificates with certain characteristics.

@ralphbuk

This comment has been minimized.

ralphbuk commented Feb 5, 2018

I know this is new function, but as this is security related it would be good if we could cherry pick to 1.8 & 1.9 so that we can let customers using general security scanner get rid of the security violations.

@jpiper jpiper referenced this pull request Mar 27, 2018

Merged

fix changelog #61749

@swestcott swestcott referenced this pull request Apr 25, 2018

Open

1.10 missing flags for kubelet & kube-apiserver #8188

1 of 2 tasks complete

k8s-merge-robot added a commit that referenced this pull request May 30, 2018

Merge pull request #58920 from victorgp/master
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Possible cipher suites values and tls versions in help for apiserver and kubelet

**What this PR does / why we need it**:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: #48859 (comment)

**Which issue(s) this PR fixes** 
NONE

**Special notes for your reviewer**:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR #48859

The help output looks like this:

```
      --tls-cert-file string                                    File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
      --tls-cipher-suites strings                               Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use.  Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      --tls-min-version string                                  Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
      --tls-private-key-file string                             File containing the default x509 private key matching --tls-cert-file.

```

**Release note**:
```release-note
NONE
```

k8s-publishing-bot added a commit to kubernetes/apiserver that referenced this pull request Jun 1, 2018

Merge pull request #58920 from victorgp/master
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Possible cipher suites values and tls versions in help for apiserver and kubelet

**What this PR does / why we need it**:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: kubernetes/kubernetes#48859 (comment)

**Which issue(s) this PR fixes**
NONE

**Special notes for your reviewer**:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR kubernetes/kubernetes#48859

The help output looks like this:

```
      --tls-cert-file string                                    File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
      --tls-cipher-suites strings                               Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use.  Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      --tls-min-version string                                  Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
      --tls-private-key-file string                             File containing the default x509 private key matching --tls-cert-file.

```

**Release note**:
```release-note
NONE
```

Kubernetes-commit: 22919ae7e1b5e55dd347d39d14bac629fbfe0e42

sttts pushed a commit to sttts/apiserver that referenced this pull request Jun 8, 2018

Merge pull request #58920 from victorgp/master
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Possible cipher suites values and tls versions in help for apiserver and kubelet

**What this PR does / why we need it**:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: kubernetes/kubernetes#48859 (comment)

**Which issue(s) this PR fixes**
NONE

**Special notes for your reviewer**:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR kubernetes/kubernetes#48859

The help output looks like this:

```
      --tls-cert-file string                                    File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
      --tls-cipher-suites strings                               Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use.  Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      --tls-min-version string                                  Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
      --tls-private-key-file string                             File containing the default x509 private key matching --tls-cert-file.

```

**Release note**:
```release-note
NONE
```

Kubernetes-commit: 22919ae7e1b5e55dd347d39d14bac629fbfe0e42

k8s-publishing-bot added a commit to kubernetes/apiserver that referenced this pull request Jun 8, 2018

Merge pull request #58920 from victorgp/master
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Possible cipher suites values and tls versions in help for apiserver and kubelet

**What this PR does / why we need it**:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: kubernetes/kubernetes#48859 (comment)

**Which issue(s) this PR fixes**
NONE

**Special notes for your reviewer**:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR kubernetes/kubernetes#48859

The help output looks like this:

```
      --tls-cert-file string                                    File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
      --tls-cipher-suites strings                               Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use.  Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      --tls-min-version string                                  Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
      --tls-private-key-file string                             File containing the default x509 private key matching --tls-cert-file.

```

**Release note**:
```release-note
NONE
```

Kubernetes-commit: 22919ae7e1b5e55dd347d39d14bac629fbfe0e42
@krionbsd

This comment has been minimized.

krionbsd commented Oct 9, 2018

I know this is new function, but as this is security related it would be good if we could cherry pick to 1.8 & 1.9 so that we can let customers using general security scanner get rid of the security violations.

Could you advice what k8s version should we use, which includes these TLS cipher fixes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment