mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-26 05:03:09 +00:00
Merge pull request #58528 from deads2k/kubelet-02-mincipher
Automatic merge from submit-queue (batch tested with PRs 58547, 57228, 58528, 58499, 58618). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add TLS min version flag Adds a flag for controlling the minimum TLS level allowed. /assign liggitt @kubernetes/sig-node-pr-reviews @k8s-mirror-api-machinery-pr-reviews ```release-note --tls-min-version on kubelet and kube-apiserver allow for configuring minimum TLS versions ```
This commit is contained in:
commit
3550551b9f
@ -446,6 +446,9 @@ func AddKubeletConfigFlags(fs *pflag.FlagSet, c *kubeletconfig.KubeletConfigurat
|
|||||||
"Comma-separated list of cipher suites for the server. "+
|
"Comma-separated list of cipher suites for the server. "+
|
||||||
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+
|
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+
|
||||||
"If omitted, the default Go cipher suites will be used")
|
"If omitted, the default Go cipher suites will be used")
|
||||||
|
fs.StringVar(&c.TLSMinVersion, "tls-min-version", c.TLSMinVersion,
|
||||||
|
"Minimum TLS version supported. "+
|
||||||
|
"Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.")
|
||||||
|
|
||||||
fs.Int32Var(&c.RegistryPullQPS, "registry-qps", c.RegistryPullQPS, "If > 0, limit registry pull QPS to this value. If 0, unlimited.")
|
fs.Int32Var(&c.RegistryPullQPS, "registry-qps", c.RegistryPullQPS, "If > 0, limit registry pull QPS to this value. If 0, unlimited.")
|
||||||
fs.Int32Var(&c.RegistryBurst, "registry-burst", c.RegistryBurst, "Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registry-qps. Only used if --registry-qps > 0")
|
fs.Int32Var(&c.RegistryBurst, "registry-burst", c.RegistryBurst, "Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registry-qps. Only used if --registry-qps > 0")
|
||||||
|
@ -627,12 +627,14 @@ func InitializeTLS(kf *options.KubeletFlags, kc *kubeletconfiginternal.KubeletCo
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
minTLSVersion, err := flag.TLSVersion(kc.TLSMinVersion)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
tlsOptions := &server.TLSOptions{
|
tlsOptions := &server.TLSOptions{
|
||||||
Config: &tls.Config{
|
Config: &tls.Config{
|
||||||
// Can't use SSLv3 because of POODLE and BEAST
|
MinVersion: minTLSVersion,
|
||||||
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
|
|
||||||
// Can't use TLSv1.1 because of RC4 cipher usage
|
|
||||||
MinVersion: tls.VersionTLS12,
|
|
||||||
CipherSuites: tlsCipherSuites,
|
CipherSuites: tlsCipherSuites,
|
||||||
},
|
},
|
||||||
CertFile: kc.TLSCertFile,
|
CertFile: kc.TLSCertFile,
|
||||||
|
@ -176,6 +176,7 @@ var (
|
|||||||
"HealthzBindAddress",
|
"HealthzBindAddress",
|
||||||
"HealthzPort",
|
"HealthzPort",
|
||||||
"TLSCipherSuites[*]",
|
"TLSCipherSuites[*]",
|
||||||
|
"TLSMinVersion",
|
||||||
"IPTablesDropBit",
|
"IPTablesDropBit",
|
||||||
"IPTablesMasqueradeBit",
|
"IPTablesMasqueradeBit",
|
||||||
"ImageGCHighThresholdPercent",
|
"ImageGCHighThresholdPercent",
|
||||||
|
@ -88,6 +88,9 @@ type KubeletConfiguration struct {
|
|||||||
// TLSCipherSuites is the list of allowed cipher suites for the server.
|
// TLSCipherSuites is the list of allowed cipher suites for the server.
|
||||||
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
||||||
TLSCipherSuites []string
|
TLSCipherSuites []string
|
||||||
|
// TLSMinVersion is the minimum TLS version supported.
|
||||||
|
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
||||||
|
TLSMinVersion string
|
||||||
// authentication specifies how requests to the Kubelet's server are authenticated
|
// authentication specifies how requests to the Kubelet's server are authenticated
|
||||||
Authentication KubeletAuthentication
|
Authentication KubeletAuthentication
|
||||||
// authorization specifies how requests to the Kubelet's server are authorized
|
// authorization specifies how requests to the Kubelet's server are authorized
|
||||||
|
@ -88,6 +88,9 @@ type KubeletConfiguration struct {
|
|||||||
// TLSCipherSuites is the list of allowed cipher suites for the server.
|
// TLSCipherSuites is the list of allowed cipher suites for the server.
|
||||||
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
||||||
TLSCipherSuites []string `json:"tlsCipherSuites"`
|
TLSCipherSuites []string `json:"tlsCipherSuites"`
|
||||||
|
// TLSMinVersion is the minimum TLS version supported.
|
||||||
|
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
||||||
|
TLSMinVersion string `json:"tlsMinVersion"`
|
||||||
// authentication specifies how requests to the Kubelet's server are authenticated
|
// authentication specifies how requests to the Kubelet's server are authenticated
|
||||||
Authentication KubeletAuthentication `json:"authentication"`
|
Authentication KubeletAuthentication `json:"authentication"`
|
||||||
// authorization specifies how requests to the Kubelet's server are authorized
|
// authorization specifies how requests to the Kubelet's server are authorized
|
||||||
|
@ -159,6 +159,7 @@ func autoConvert_v1alpha1_KubeletConfiguration_To_kubeletconfig_KubeletConfigura
|
|||||||
out.TLSCertFile = in.TLSCertFile
|
out.TLSCertFile = in.TLSCertFile
|
||||||
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
|
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
|
||||||
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
|
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
|
||||||
|
out.TLSMinVersion = in.TLSMinVersion
|
||||||
if err := Convert_v1alpha1_KubeletAuthentication_To_kubeletconfig_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
|
if err := Convert_v1alpha1_KubeletAuthentication_To_kubeletconfig_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@ -281,6 +282,7 @@ func autoConvert_kubeletconfig_KubeletConfiguration_To_v1alpha1_KubeletConfigura
|
|||||||
out.TLSCertFile = in.TLSCertFile
|
out.TLSCertFile = in.TLSCertFile
|
||||||
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
|
out.TLSPrivateKeyFile = in.TLSPrivateKeyFile
|
||||||
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
|
out.TLSCipherSuites = *(*[]string)(unsafe.Pointer(&in.TLSCipherSuites))
|
||||||
|
out.TLSMinVersion = in.TLSMinVersion
|
||||||
if err := Convert_kubeletconfig_KubeletAuthentication_To_v1alpha1_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
|
if err := Convert_kubeletconfig_KubeletAuthentication_To_v1alpha1_KubeletAuthentication(&in.Authentication, &out.Authentication, s); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
@ -54,6 +54,9 @@ type SecureServingOptions struct {
|
|||||||
// CipherSuites is the list of allowed cipher suites for the server.
|
// CipherSuites is the list of allowed cipher suites for the server.
|
||||||
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
||||||
CipherSuites []string
|
CipherSuites []string
|
||||||
|
// MinTLSVersion is the minimum TLS version supported.
|
||||||
|
// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
|
||||||
|
MinTLSVersion string
|
||||||
}
|
}
|
||||||
|
|
||||||
type CertKey struct {
|
type CertKey struct {
|
||||||
@ -142,6 +145,10 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
|
|||||||
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+
|
"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+
|
||||||
"If omitted, the default Go cipher suites will be used")
|
"If omitted, the default Go cipher suites will be used")
|
||||||
|
|
||||||
|
fs.StringVar(&s.MinTLSVersion, "tls-min-version", s.MinTLSVersion,
|
||||||
|
"Minimum TLS version supported. "+
|
||||||
|
"Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants.")
|
||||||
|
|
||||||
fs.Var(utilflag.NewNamedCertKeyArray(&s.SNICertKeys), "tls-sni-cert-key", ""+
|
fs.Var(utilflag.NewNamedCertKeyArray(&s.SNICertKeys), "tls-sni-cert-key", ""+
|
||||||
"A pair of x509 certificate and private key file paths, optionally suffixed with a list of "+
|
"A pair of x509 certificate and private key file paths, optionally suffixed with a list of "+
|
||||||
"domain patterns which are fully qualified domain names, possibly with prefixed wildcard "+
|
"domain patterns which are fully qualified domain names, possibly with prefixed wildcard "+
|
||||||
@ -249,6 +256,12 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
|
|||||||
secureServingInfo.CipherSuites = cipherSuites
|
secureServingInfo.CipherSuites = cipherSuites
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var err error
|
||||||
|
secureServingInfo.MinTLSVersion, err = utilflag.TLSVersion(s.MinTLSVersion)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
// load SNI certs
|
// load SNI certs
|
||||||
namedTLSCerts := make([]server.NamedTLSCert, 0, len(s.SNICertKeys))
|
namedTLSCerts := make([]server.NamedTLSCert, 0, len(s.SNICertKeys))
|
||||||
for _, nck := range s.SNICertKeys {
|
for _, nck := range s.SNICertKeys {
|
||||||
@ -261,7 +274,6 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
|
|||||||
return fmt.Errorf("failed to load SNI cert and key: %v", err)
|
return fmt.Errorf("failed to load SNI cert and key: %v", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
var err error
|
|
||||||
secureServingInfo.SNICerts, err = server.GetNamedCertificateMap(namedTLSCerts)
|
secureServingInfo.SNICerts, err = server.GetNamedCertificateMap(namedTLSCerts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -62,3 +62,26 @@ func TLSCipherSuites(cipherNames []string) ([]uint16, error) {
|
|||||||
}
|
}
|
||||||
return ciphersIntSlice, nil
|
return ciphersIntSlice, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var versions = map[string]uint16{
|
||||||
|
"VersionTLS10": tls.VersionTLS10,
|
||||||
|
"VersionTLS11": tls.VersionTLS11,
|
||||||
|
"VersionTLS12": tls.VersionTLS12,
|
||||||
|
}
|
||||||
|
|
||||||
|
func TLSVersion(versionName string) (uint16, error) {
|
||||||
|
if len(versionName) == 0 {
|
||||||
|
return DefaultTLSVersion(), nil
|
||||||
|
}
|
||||||
|
if version, ok := versions[versionName]; ok {
|
||||||
|
return version, nil
|
||||||
|
}
|
||||||
|
return 0, fmt.Errorf("unknown tls version %q", versionName)
|
||||||
|
}
|
||||||
|
|
||||||
|
func DefaultTLSVersion() uint16 {
|
||||||
|
// Can't use SSLv3 because of POODLE and BEAST
|
||||||
|
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
|
||||||
|
// Can't use TLSv1.1 because of RC4 cipher usage
|
||||||
|
return tls.VersionTLS12
|
||||||
|
}
|
||||||
|
@ -80,8 +80,12 @@ func TestConstantMaps(t *testing.T) {
|
|||||||
fmt.Printf("error: %s\n", err.Error())
|
fmt.Printf("error: %s\n", err.Error())
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
discoveredVersions := map[string]bool{}
|
||||||
discoveredCiphers := map[string]bool{}
|
discoveredCiphers := map[string]bool{}
|
||||||
for _, declName := range pkg.Scope().Names() {
|
for _, declName := range pkg.Scope().Names() {
|
||||||
|
if strings.HasPrefix(declName, "VersionTLS") {
|
||||||
|
discoveredVersions[declName] = true
|
||||||
|
}
|
||||||
if strings.HasPrefix(declName, "TLS_RSA_") || strings.HasPrefix(declName, "TLS_ECDHE_") {
|
if strings.HasPrefix(declName, "TLS_RSA_") || strings.HasPrefix(declName, "TLS_ECDHE_") {
|
||||||
discoveredCiphers[declName] = true
|
discoveredCiphers[declName] = true
|
||||||
}
|
}
|
||||||
@ -97,4 +101,14 @@ func TestConstantMaps(t *testing.T) {
|
|||||||
t.Errorf("ciphers map has %s not in tls package", k)
|
t.Errorf("ciphers map has %s not in tls package", k)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
for k := range discoveredVersions {
|
||||||
|
if _, ok := versions[k]; !ok {
|
||||||
|
t.Errorf("discovered version tls.%s not in version map", k)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for k := range versions {
|
||||||
|
if _, ok := discoveredVersions[k]; !ok {
|
||||||
|
t.Errorf("versions map has %s not in tls package", k)
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user