This article was originally posted to Medium by Gaurav Bankar and has been updated.
This article identifies using cluster operators and components with TLS Security profiles, covers the available security profiles, and how to configure each profile, and verify each profile is properly enabled.
The Components and the Profiles
The OpenShift Container Platform is componsed of many components. Three of the components, IngressController, APIServer and Kubelet can be configured for specific TLS profiles (versions) and ciphers.
You can view each of the component's TLS profile and see the version and ciphers using the cli:
❯ oc explain <component>.spec.tlsSecurityProfile.<profile>
❯ oc explain IngressController.spec.tlsSecurityProfile
GROUP: operator.openshift.io
KIND: IngressController
VERSION: v1
...
FIELDS:
custom <Object>
custom is a user-defined TLS security profile. Be extremely careful using a
custom profile as invalid configurations can be catastrophic. An example
custom profile looks like this:
ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 -
ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256
minTLSVersion: TLSv1.1
...
For <component>
, specify IngressController
, APIServer
, or KubeletConfig
. For <profile>
, specify custom
, intermediate
, modern
and old
.
For details on the custom
profile, you can run oc explain IngressController.spec.tlsSecurityProfile.custom
. custom
lets you explictly dictate the TLS version and ciphers that are supported.
The APIServer wraps multiple components into a single custom resource — Kubernetes API server, Kubernetes controller manager, Kubernetes scheduler, OpenShift API server, OpenShift OAuth API server, OpenShift OAuth server, etcd. The default TLS security profile is Intermediate.
The Kubelet component is configured with the KubeletConfig to set a TLS Security Profile for specific nodes. The default TLS security profile for Kubelet is Intermediate.
Configuring the TLS security profile
To configure a TLS security profile for an OpenShift component, you edit the custom resource's tlsSecurityProfile.type. For the `custom`` TLS security profile, you additionally set the specific ciphers and minimum TLS version are listed under both parameters.
To set the TLS security profile for an IngressController:
- Edit the IngressController CR in the openshift-ingress-operator project:
oc edit IngressController default -n openshift-ingress-operator
- Add the
spec.tlsSecurityProfile
field, such as the following:
apiVersion: operator.openshift.io/v1
kind: IngressController
...
spec:
tlsSecurityProfile:
type: Custom
custom:
ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
Min TLS Version: VersionTLS11
Type: Custom
...
- Save the file to apply the changes.
To set the TLS security profile for the APIServer.
- Edit the default APIServer CR to configure the TLS security profile:
oc edit APIServer cluster
- Add the
spec.tlsSecurityProfile
field:
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
spec:
tlsSecurityProfile:
type: Custom
custom:
ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
Min TLS Version: VersionTLS11
Type: Custom
- Save the file to apply the changes.
To configure the Kublet TLS Security profile, you can:
- Create a file for the KubeletConfig resource.
apiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
name: set-kubelet-tls-security-profile
spec:
tlsSecurityProfile:
type: Custom
custom:
ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
Min TLS Version: VersionTLS11
Type: Custom
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/worker: ""
- Create the KubeletConfig object:
oc create -f <filename>
You must wait for the configured nodes to be rebooted one-by-one.
Verification of the TLS security profiles
In this section you can perform verification steps for all components — IngressController, APIServer and Kubelet:
- Verification steps for Ingress-controller to see the profile and the TLS version and ciphers.
$ oc describe IngressController default -n openshift-ingress-operator
Output:
Name: default
Namespace: openshift-ingress-operator
Labels: <none>
Annotations: <none>
API Version: operator.openshift.io/v1
Kind: IngressController
...
Spec:
...
Tls Security Profile:
Custom:
Ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
Min TLS Version: VersionTLS11
Type: Custom
...
- Verify that the TLS security profile is set in the APIServer Custom Resource:
oc describe apiserver cluster
Output:
Name: cluster
Namespace:
...
API Version: config.openshift.io/v1
Kind: APIServer
...
Spec:
Audit:
Profile: Default
Tls Security Profile:
Custom:
Ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
Type: Custom
...
- Verify that the TLS security profile is set in the etcd Custom Resource
oc describe etcd cluster
Output:
Name: cluster
Namespace:
...
API Version: operator.openshift.io/v1
Kind: Etcd
...
Spec:
Log Level: Normal
Management State: Managed
Observed Config:
Serving Info:
Cipher Suites:
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
Min TLS Version: VersionTLS12
- Verification steps for Kubelet
Perform the following steps after the nodes are in the Ready state:
i. Start a debug session for a configured node:
oc debug node/<node_name>
ii. Set /host as the root directory within the debug shell:
chroot /host
iii. View the kubelet.conf file:
cat /etc/kubernetes/kubelet.conf
Output:
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
...
"tlsCipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"tlsMinVersion": "VersionTLS12",
- Verification of TLS on the Kubelet OpenSSL commands:
i. Get the list of nodes (you can check a control plane and worker node)
oc get nodes
ii. Connect via Debug
oc debug node/mon01-worker-0.dsop0-power-211a.ibm.com
iii. Change root
chroot /host
iv. Check which ports are running for kubelet
netstat -plutn | grep kubelet
tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN 1695/kubelet
tcp6 0 0 :::10250 :::* LISTEN 1695/kubelet
v. Using the port for tcp
openssl s_client -connect localhost:10250
You should see a negotiated TLS version, such as:
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
VI. You can test the specific cipher using:
openssl s_client -connect localhost:10250 -cipher 'ECDHE-ECDSA-AES256-SHA'
You should see the cipher used successfully or not (if not supported)
- Verification with tls1_2, tls1_1, tls1 TLS versions using OpenSSL commands for kubelet on same node:
i. Check for TLS1.2 version
openssl s_client -connect localhost:10250 -tls1_2
...
SSL-Session:
Protocol : TLSv1.2
ii. Check for TLS1.1 version
openssl s_client -connect localhost:10250 -tls1_1
...
SSL-Session:
Protocol : TLSv1.1
iii. Check for TLS1 version
openssl s_client -connect localhost:10250 -tls1
SSL-Session:
Protocol : TLSv1
This post you’ve learned how to configure TLS security profiles for the OpenShift Container Platform.