Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for custom tls cipher suites in api server and kubelet #48859

Merged
merged 1 commit into from Jan 18, 2018

Conversation

@victorgp
Copy link
Contributor

@victorgp victorgp commented Jul 13, 2017

What this PR does / why we need it:
This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
Several users have requested this given that some default ciphers are vulnerable.
There is a discussion in #41038 of how to implement this. The options are:

  • Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
  • Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.

I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).

Which issue this PR fixes
fixes #41038

Special notes for your reviewer:
The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the type CipherSuitesFlag to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
If you think there is another way to implement this, let me know.

If you want to test it out, this is a ciphers combination i tested without the weak ones:

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

If this is merged i will implement the same for the Kubelet.

Release note:

kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
@k8s-ci-robot
Copy link
Contributor

@k8s-ci-robot k8s-ci-robot commented Jul 13, 2017

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@victorgp
Copy link
Contributor Author

@victorgp victorgp commented Jul 13, 2017

CLA signed


func NewCipherSuitesFlag() *CipherSuitesFlag {
return &CipherSuitesFlag{
"TLS_RSA_WITH_RC4_128_SHA": 0x0005,

This comment has been minimized.

@liggitt

liggitt Jul 13, 2017
Member

prefer tls constants here

This comment has been minimized.

@liggitt

liggitt Jul 13, 2017
Member

see https://github.com/liggitt/origin/blob/master/pkg/cmd/server/crypto/crypto.go#L72-L112 for an example, and https://github.com/liggitt/origin/blob/master/pkg/cmd/server/crypto/crypto_test.go#L16-L54 for a test to make sure the allowed values stays up to date with the ciphers supported by the TLS stack


// CipherSuites is the list of allowed cipher suites for the server.
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
CipherSuites string

This comment has been minimized.

@liggitt

liggitt Jul 13, 2017
Member

this should probably go in SecureServingOptions and be []string, tied to a string slice flag

@victorgp victorgp force-pushed the victorgp:master branch from 1a2b66f to 6a45f0a Jul 17, 2017
@victorgp
Copy link
Contributor Author

@victorgp victorgp commented Jul 17, 2017

Parameter set to []string, new test added and using constants instead of numbers


// CipherSuites is the list of allowed cipher suites for the server.
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
CipherSuites []string

This comment has been minimized.

@liggitt

liggitt Jul 17, 2017
Member

still needs to be moved to SecureServingOptions

@@ -246,6 +255,16 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
}
}

if len(s.ServerCert.CipherSuites) != 0 {
csFlag := utilflag.NewCipherSuitesFlag()
cipherSuites, err := csFlag.StrToUInt16(s.ServerCert.CipherSuites)

This comment has been minimized.

@liggitt

liggitt Jul 17, 2017
Member

this can just be a util function, no need for a flag type now

@victorgp victorgp force-pushed the victorgp:master branch from 6a45f0a to 99c31fc Jul 17, 2017
@victorgp
Copy link
Contributor Author

@victorgp victorgp commented Jul 17, 2017

Sorry, i missed that part. Updated and type removed using just a function instead.

@victorgp victorgp force-pushed the victorgp:master branch from 99c31fc to 6b56264 Jul 17, 2017
@ncdc
Copy link
Member

@ncdc ncdc commented Jul 17, 2017

/unassign

fs.StringSliceVar(&s.CipherSuites, "tls-cipher-suites", s.CipherSuites,
"Comma-separated list of cipher suites for the server. "+
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+
"If ommited, the default Go cipher suites will be used")

This comment has been minimized.

@liggitt

liggitt Jul 17, 2017
Member

omitted


// ciphers maps strings into tls package cipher constants in
// https://golang.org/pkg/crypto/tls/#pkg-constants
var ciphers = map[string]uint16{

This comment has been minimized.

@liggitt

liggitt Jul 17, 2017
Member

put these somewhere the apiserver and kubelet can both reference it...

This comment has been minimized.

@victorgp

victorgp Sep 29, 2017
Author Contributor

After adding support for the kubelet, i didn't need to move this. It is accesible from the kubelet code, indeed, it was already imported so i didn't need to import anything.

Let me know if you still prefer to put it in another location, and if so, what would be the best one?

@k8s-github-robot
Copy link
Contributor

@k8s-github-robot k8s-github-robot commented Jan 18, 2018

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link
Contributor

@k8s-github-robot k8s-github-robot commented Jan 18, 2018

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit b7100f1 into kubernetes:master Jan 18, 2018
12 of 13 checks passed
12 of 13 checks passed
Submit Queue Required Github CI test is not green: pull-kubernetes-verify
Details
cla/linuxfoundation victorgp authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke-gci Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-unit Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
@liggitt
Copy link
Member

@liggitt liggitt commented Jan 18, 2018

\o/

@duglin
Copy link
Contributor

@duglin duglin commented Jan 18, 2018

thanks @liggitt !

@victorgp
Copy link
Contributor Author

@victorgp victorgp commented Jan 18, 2018

Yeeees! Merged ;)

Thanks all!

@@ -442,6 +442,10 @@ func AddKubeletConfigFlags(fs *pflag.FlagSet, c *kubeletconfig.KubeletConfigurat
"If --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key "+
"are generated for the public address and saved to the directory passed to --cert-dir.")
fs.StringVar(&c.TLSPrivateKeyFile, "tls-private-key-file", c.TLSPrivateKeyFile, "File containing x509 private key matching --tls-cert-file.")
fs.StringSliceVar(&c.TLSCipherSuites, "tls-cipher-suites", c.TLSCipherSuites,
"Comma-separated list of cipher suites for the server. "+
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+

This comment has been minimized.

@lavalamp

lavalamp Jan 18, 2018
Member

List the values in this help message?

This comment has been minimized.

@liggitt

liggitt Jan 18, 2018
Member

yeah, that's a good idea

This comment has been minimized.

@victorgp

victorgp Jan 27, 2018
Author Contributor

@lavalamp @liggitt i've made this PR to address this issue: #58920

This comment has been minimized.

@liggitt

liggitt Jan 27, 2018
Member

Thanks for following up

@@ -134,6 +137,11 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
"Controllers. This must be a valid PEM-encoded CA bundle. Altneratively, the certificate authority "+
"can be appended to the certificate provided by --tls-cert-file.")

fs.StringSliceVar(&s.TLSCipherSuites, "tls-cipher-suites", s.TLSCipherSuites,
"Comma-separated list of cipher suites for the server. "+
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+

This comment has been minimized.

@lavalamp

lavalamp Jan 18, 2018
Member

Same comment

"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,

This comment has been minimized.

@lavalamp

lavalamp Jan 18, 2018
Member

If humans are supposed to type these things in, maybe omit the "TLS_" prefix, as it only adds verbosity?

This comment has been minimized.

@liggitt

liggitt Jan 18, 2018
Member

This comment has been minimized.

@neolit123

neolit123 Aug 8, 2019
Member

looks like TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 and TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 were added in golang lacking the hash portion of the suite IDs (_SHA256)

golang/go#32061

but that's due to the same suffix was added last minute in the CHACHA20_POLY1305 draft:
https://tools.ietf.org/rfcdiff?url2=draft-ietf-tls-chacha20-poly1305-04.txt

🤦‍♂️

xref #81145

// Supported cipher
clientCiphers: []uint16{tls.TLS_RSA_WITH_AES_256_CBC_SHA},
expectedError: false,
},

This comment has been minimized.

@lavalamp

lavalamp Jan 18, 2018
Member

I would prefer to see two tests for each cipher, one verifying it works when present, one verifying it doesn't when not.

@victorgp
Copy link
Contributor Author

@victorgp victorgp commented Jan 18, 2018

Ok will take care of these two things in another PR (the values in the help message and the tests)

@gregory-lyons
Copy link

@gregory-lyons gregory-lyons commented Jan 26, 2018

Any chance of this getting cherry-picked to earlier versions?

@liggitt
Copy link
Member

@liggitt liggitt commented Jan 27, 2018

Given that it is a new feature and the size of the change, that is unlikely

@victorgp
Copy link
Contributor Author

@victorgp victorgp commented Jan 27, 2018

@lavalamp regarding the tests changes, i've might find an issue in how Go handles the ciphers.

From the list of Go supported 22 cipher suites here https://golang.org/pkg/crypto/tls/#pkg-constants there are only 10 that actually work and 12 don't work. Let me explain.

If you create a simple http server with the default Go TLS configuration, and you list the supported ciphers with a tool like openssl or nmap, only 10 show up.
If you do a HTTP request with any of the 12 not listed, the TLS negotiation fails, no matter what ciphers you select for your server, it fails either you select all of the possible 22 ciphers, or you select just the one the client is using, or you select none, in all cases, the TLS negotiation fails.

You just need to run this simple server:

package main

import (
    "net/http"
)
func main() {
    http.HandleFunc("/", nil) // set router
    http.ListenAndServeTLS(":9090", "/tmp/cert/apiserver.crt", "/tmp/cert/apiserver.key", nil) // set listen port
}

And use nmap to list the available ciphers:

$ nmap --script ssl-enum-ciphers -p 9090 localhost

Starting Nmap 7.01 ( https://nmap.org ) at 2018-01-27 14:06 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00013s latency).
PORT     STATE SERVICE
9090/tcp open  zeus-admin
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds

The list of ciphers that down show up and never work are:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

So, if you try a request using openssl lile:
openssl s_client -cipher ECDH-RSA-RC4-SHA -connect localhost:9090

You get the TLS negotiation and the simple http server prints

2018/01/27 15:52:15 http: TLS handshake error from 127.0.0.1:39312: tls: no cipher suite supported by both client and server

This means i can't implement those tests testing all the ciphers, because those 12, just don't work.

And of course, they were not working before this PR was merged either.

To me this is a bug in Go, unless i'm missing something.
Does any of you have an idea of what could be happening? Otherwise i will file a bug in Go

@liggitt
Copy link
Member

@liggitt liggitt commented Jan 27, 2018

Does any of you have an idea of what could be happening?

Some ciphers are only available when using serving certificates with certain characteristics.

@ralphbuk
Copy link

@ralphbuk ralphbuk commented Feb 5, 2018

I know this is new function, but as this is security related it would be good if we could cherry pick to 1.8 & 1.9 so that we can let customers using general security scanner get rid of the security violations.

@jpiper jpiper mentioned this pull request Mar 27, 2018
k8s-github-robot pushed a commit that referenced this pull request May 30, 2018
Kubernetes Submit Queue
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Possible cipher suites values and tls versions in help for apiserver and kubelet

**What this PR does / why we need it**:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: #48859 (comment)

**Which issue(s) this PR fixes** 
NONE

**Special notes for your reviewer**:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR #48859

The help output looks like this:

```
      --tls-cert-file string                                    File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
      --tls-cipher-suites strings                               Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use.  Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      --tls-min-version string                                  Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
      --tls-private-key-file string                             File containing the default x509 private key matching --tls-cert-file.

```

**Release note**:
```release-note
NONE
```
k8s-publishing-bot added a commit to kubernetes/apiserver that referenced this pull request Jun 1, 2018
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Possible cipher suites values and tls versions in help for apiserver and kubelet

**What this PR does / why we need it**:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: kubernetes/kubernetes#48859 (comment)

**Which issue(s) this PR fixes**
NONE

**Special notes for your reviewer**:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR kubernetes/kubernetes#48859

The help output looks like this:

```
      --tls-cert-file string                                    File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
      --tls-cipher-suites strings                               Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use.  Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      --tls-min-version string                                  Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
      --tls-private-key-file string                             File containing the default x509 private key matching --tls-cert-file.

```

**Release note**:
```release-note
NONE
```

Kubernetes-commit: 22919ae7e1b5e55dd347d39d14bac629fbfe0e42
sttts pushed a commit to sttts/apiserver that referenced this pull request Jun 8, 2018
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Possible cipher suites values and tls versions in help for apiserver and kubelet

**What this PR does / why we need it**:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: kubernetes/kubernetes#48859 (comment)

**Which issue(s) this PR fixes**
NONE

**Special notes for your reviewer**:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR kubernetes/kubernetes#48859

The help output looks like this:

```
      --tls-cert-file string                                    File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
      --tls-cipher-suites strings                               Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use.  Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      --tls-min-version string                                  Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
      --tls-private-key-file string                             File containing the default x509 private key matching --tls-cert-file.

```

**Release note**:
```release-note
NONE
```

Kubernetes-commit: 22919ae7e1b5e55dd347d39d14bac629fbfe0e42
k8s-publishing-bot added a commit to kubernetes/apiserver that referenced this pull request Jun 8, 2018
Automatic merge from submit-queue (batch tested with PRs 58920, 58327, 60577, 49388, 62306). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Possible cipher suites values and tls versions in help for apiserver and kubelet

**What this PR does / why we need it**:
Addresses a suggestion made by @lavalamp to list the possible TLS cipher suites in the kubelet and apiserver helps: kubernetes/kubernetes#48859 (comment)

**Which issue(s) this PR fixes**
NONE

**Special notes for your reviewer**:
This pull request only adds to the help message the possible values of the TLS Cipher suites for Kubelet and api server.
It is an addition to the already merged PR kubernetes/kubernetes#48859

The help output looks like this:

```
      --tls-cert-file string                                    File containing the default x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If HTTPS serving is enabled, and --tls-cert-file and --tls-private-key-file are not provided, a self-signed certificate and key are generated for the public address and saved to the directory specified by --cert-dir.
      --tls-cipher-suites strings                               Comma-separated list of cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). If omitted, the default Go cipher suites will be use.  Possible values: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      --tls-min-version string                                  Minimum TLS version supported. Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.
      --tls-private-key-file string                             File containing the default x509 private key matching --tls-cert-file.

```

**Release note**:
```release-note
NONE
```

Kubernetes-commit: 22919ae7e1b5e55dd347d39d14bac629fbfe0e42
@krionbsd
Copy link

@krionbsd krionbsd commented Oct 9, 2018

I know this is new function, but as this is security related it would be good if we could cherry pick to 1.8 & 1.9 so that we can let customers using general security scanner get rid of the security violations.

Could you advice what k8s version should we use, which includes these TLS cipher fixes?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment