add configurable TLS min version and cipher suite support#485
Draft
thejasn wants to merge 9 commits into
Draft
Conversation
The startup probe HTTP server was bound to all interfaces, exposing a plain HTTP endpoint on external node interfaces. Kubelet is the only intended caller and reaches it via the node loopback. Bind the server to 127.0.0.1. Since the DaemonSet runs with hostNetwork: true, the kubelet on the same host can reach 127.0.0.1 directly. Update the startup probe's httpGet host field to match. Signed-off-by: Thejas N <thn@redhat.com> (cherry picked from commit 0592120)
The tlsconfig package introduced in the following commit imports k8s.io/component-base/cli/flag directly for TLS version and cipher suite name resolution. Promote the dependency from indirect to direct so go.mod accurately reflects what the module uses. Signed-off-by: Thejas N <thn@redhat.com> (cherry picked from commit 9f00cd9)
The minimum TLS version and permitted cipher suites are expressed as strings but crypto/tls requires uint16 constants. Without a central conversion point each caller would duplicate the parsing logic and the validation constraints. Add pkg/util/tlsconfig with ParseTLSOptions to handle this. Two invariants are enforced: TLS 1.2 is the minimum accepted version, and cipher suites may not be specified with VersionTLS13 since crypto/tls does not allow configuring TLS 1.3 suites. Signed-off-by: Thejas N <thn@redhat.com> (cherry picked from commit fe8282c)
CAA hardcodes TLS 1.2 with no cipher suite control, providing no way to enforce a specific minimum version or restrict the permitted cipher suites across peer pod connections. Add MinTLSVersion and CipherSuites fields to TLSConfig and wire them into GetTLSConfigFor via tlsconfig.ParseTLSOptions. TLS 1.2 is kept as a hard floor regardless of the requested version. When both fields are empty the behaviour is identical to before. Signed-off-by: Thejas N <thn@redhat.com> (cherry picked from commit fffbe38)
The agent protocol forwarder runs inside the peer pod VM with no access to external configuration sources. The only mechanism for delivering configuration to it is the user-data (apf.json) written by CAA at VM creation time. Add MinTLSVersion and CipherSuites to the forwarder Config struct so they are serialised into apf.json. In NewDaemon, propagate these fields into the TLSConfig used for the APF TLS listener if not already set by the caller. Because user-data is written once at VM boot and the APF loads it without watching for changes, updates to MinTLSVersion or CipherSuites only take effect for newly created peer pods. Existing VMs retain their original settings until the pod is deleted and recreated. Signed-off-by: Thejas N <thn@redhat.com> (cherry picked from commit d0c30d2)
MinTLSVersion and CipherSuites are stored in ServerConfig.TLSConfig. The daemonConfig written to user-data is constructed separately in CreateVM and the two were not connected. Copy MinTLSVersion and CipherSuites from TLSConfig into daemonConfig before serialising it to apf.json. Without this step these fields would never be populated for peer pod VMs. Signed-off-by: Thejas N <thn@redhat.com> (cherry picked from commit 8cbb988)
Expose two new flags backed by env vars so the minimum TLS version and permitted cipher suites can be configured without rebuilding the binary: --tls-min-version / TLS_MIN_VERSION (VersionTLS12 or VersionTLS13) --tls-cipher-suites / TLS_CIPHER_SUITES (comma-separated IANA names) Warn when --disable-tls or --tls-skip-verify are used, since both silently weaken security and should be restricted to test environments. Warn when MinTLSVersion or CipherSuites are set: these values are baked into peer pod VMs via user-data at creation time, so changes require deleting and recreating existing peer pods to take effect. Signed-off-by: Thejas N <thn@redhat.com> (cherry picked from commit b43999a)
The webhook server's TLS configuration is fixed at Go defaults with no way to set the minimum version or restrict cipher suites at runtime. Add support for TLS_MIN_VERSION and TLS_CIPHER_SUITES env vars. When set, these are applied to the webhook server's TLS configuration at startup. Signed-off-by: Thejas N <thn@redhat.com> (cherry picked from commit 5829b8d)
Without an operator, there is no way to configure the minimum TLS version or permitted cipher suites for peer pod connections or the webhook server via helm. Add tlsProfile.minVersion and tlsProfile.cipherSuites to the peerpods chart values. The configmap template renders these into peer-pods-cm so the CAA DaemonSet picks them up via envFrom. Add tlsMinVersion and tlsCipherSuites to the webhook chart values and render them as TLS_MIN_VERSION and TLS_CIPHER_SUITES env vars on the manager container. Bump webhook chart version to 0.3.2. Signed-off-by: Thejas N <thn@redhat.com> (cherry picked from commit 06b77cd)
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
openshift-ci
Bot
added
the
needs-rebase
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TBD
Downstream cherry pick from confidential-containers#3135