Containers, Kubernetes, OpenShift on Power

 View Only

Using TLS Security Profiles on OpenShift Container Platform on IBM Power

By PAUL BASTIDE posted Tue November 21, 2023 03:41 PM

  

This article was originally posted to Medium by Gaurav Bankar and has been updated.

This article identifies using cluster operators and components with TLS Security profiles, covers the available security profiles, and how to configure each profile, and verify each profile is properly enabled.

The Components and the Profiles

The OpenShift Container Platform is componsed of many components. Three of the components, IngressController, APIServer and Kubelet can be configured for specific TLS profiles (versions) and ciphers.

You can view each of the component's TLS profile and see the version and ciphers using the cli:


❯ oc explain <component>.spec.tlsSecurityProfile.<profile>

❯ oc explain IngressController.spec.tlsSecurityProfile GROUP: operator.openshift.io KIND: IngressController VERSION: v1 ... FIELDS: custom <Object> custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this: ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion: TLSv1.1 ...

For <component>, specify IngressController, APIServer, or KubeletConfig. For <profile>, specify custom, intermediate, modern and old.

For details on the custom profile, you can run oc explain IngressController.spec.tlsSecurityProfile.custom. custom lets you explictly dictate the TLS version and ciphers that are supported.

The APIServer wraps multiple components into a single custom resource — Kubernetes API server, Kubernetes controller manager, Kubernetes scheduler, OpenShift API server, OpenShift OAuth API server, OpenShift OAuth server, etcd. The default TLS security profile is Intermediate.

The Kubelet component is configured with the KubeletConfig to set a TLS Security Profile for specific nodes. The default TLS security profile for Kubelet is Intermediate.

Configuring the TLS security profile

To configure a TLS security profile for an OpenShift component, you edit the custom resource's tlsSecurityProfile.type. For the `custom`` TLS security profile, you additionally set the specific ciphers and minimum TLS version are listed under both parameters.

To set the TLS security profile for an IngressController:

  1. Edit the IngressController CR in the openshift-ingress-operator project:

oc edit IngressController default -n openshift-ingress-operator
  1. Add the spec.tlsSecurityProfile field, such as the following:

apiVersion: operator.openshift.io/v1 kind: IngressController ... spec: tlsSecurityProfile: type: Custom custom: ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 Min TLS Version: VersionTLS11 Type: Custom ...
  1. Save the file to apply the changes.

To set the TLS security profile for the APIServer.

  1. Edit the default APIServer CR to configure the TLS security profile:

oc edit APIServer cluster
  1. Add the spec.tlsSecurityProfile field:

apiVersion: config.openshift.io/v1 kind: APIServer metadata: name: cluster spec: tlsSecurityProfile: type: Custom custom: ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 Min TLS Version: VersionTLS11 Type: Custom
  1. Save the file to apply the changes.

To configure the Kublet TLS Security profile, you can:

  1. Create a file for the KubeletConfig resource.

apiVersion: machineconfiguration.openshift.io/v1 kind: KubeletConfig metadata: name: set-kubelet-tls-security-profile spec: tlsSecurityProfile: type: Custom custom: ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 Min TLS Version: VersionTLS11 Type: Custom machineConfigPoolSelector: matchLabels: pools.operator.machineconfiguration.openshift.io/worker: ""
  1. Create the KubeletConfig object:

oc create -f <filename>

You must wait for the configured nodes to be rebooted one-by-one.

Verification of the TLS security profiles

In this section you can perform verification steps for all components — IngressController, APIServer and Kubelet:

  1. Verification steps for Ingress-controller to see the profile and the TLS version and ciphers.

$ oc describe IngressController default -n openshift-ingress-operator

Output:


Name: default Namespace: openshift-ingress-operator Labels: <none> Annotations: <none> API Version: operator.openshift.io/v1 Kind: IngressController ... Spec: ... Tls Security Profile: Custom: Ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 Min TLS Version: VersionTLS11 Type: Custom ...
  1. Verify that the TLS security profile is set in the APIServer Custom Resource:

oc describe apiserver cluster

Output:


Name: cluster Namespace: ... API Version: config.openshift.io/v1 Kind: APIServer ... Spec: Audit: Profile: Default Tls Security Profile: Custom: Ciphers: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 Type: Custom ...
  1. Verify that the TLS security profile is set in the etcd Custom Resource

oc describe etcd cluster

Output:


Name: cluster Namespace: ... API Version: operator.openshift.io/v1 Kind: Etcd ... Spec: Log Level: Normal Management State: Managed Observed Config: Serving Info: Cipher Suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" ], Min TLS Version: VersionTLS12
  1. Verification steps for Kubelet

Perform the following steps after the nodes are in the Ready state:

i. Start a debug session for a configured node:


oc debug node/<node_name>

ii. Set /host as the root directory within the debug shell:


chroot /host

iii. View the kubelet.conf file:


cat /etc/kubernetes/kubelet.conf

Output:


kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 ... "tlsCipherSuites": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" ], "tlsMinVersion": "VersionTLS12",
  1. Verification of TLS on the Kubelet OpenSSL commands:

i. Get the list of nodes (you can check a control plane and worker node)​


oc get nodes

ii. Connect via Debug​


oc debug node/mon01-worker-0.dsop0-power-211a.ibm.com

iii. Change root​


chroot /host

iv. Check which ports are running for kubelet​


netstat -plutn | grep kubelet tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN 1695/kubelet tcp6 0 0 :::10250 :::* LISTEN 1695/kubelet

v. Using the port for tcp


openssl s_client -connect localhost:10250

You should see a negotiated TLS version​, such as:


New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

VI. You can test the specific cipher using:​


openssl s_client -connect localhost:10250 -cipher 'ECDHE-ECDSA-AES256-SHA'

You should see the cipher used successfully or not (if not supported)

  1. Verification with tls1_2, tls1_1, tls1 TLS versions using OpenSSL commands for kubelet on same node:

i. Check for TLS1.2 version


openssl s_client -connect localhost:10250 -tls1_2 ... SSL-Session: Protocol : TLSv1.2

ii. Check for TLS1.1 version


openssl s_client -connect localhost:10250 -tls1_1 ... SSL-Session: Protocol : TLSv1.1

iii. Check for TLS1 version


openssl s_client -connect localhost:10250 -tls1 SSL-Session: Protocol : TLSv1

This post you’ve learned how to configure TLS security profiles for the OpenShift Container Platform.

Permalink