From 13354d3da4db4496b236da9feb215b6597a1af12 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Mon, 30 Jan 2023 14:42:45 +0100 Subject: [PATCH 1/3] Add note about TLS 1.3 cipher suites --- pkg/generated/openapi/zz_generated.openapi.go | 2 +- pkg/kubelet/apis/config/types.go | 1 + staging/src/k8s.io/kubelet/config/v1beta1/types.go | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 30ab1279d3f..386f5b01407 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -57220,7 +57220,7 @@ func schema_k8sio_kubelet_config_v1beta1_KubeletConfiguration(ref common.Referen }, "tlsCipherSuites": { SchemaProps: spec.SchemaProps{ - Description: "tlsCipherSuites is the list of allowed cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). Default: nil", + Description: "tlsCipherSuites is the list of allowed cipher suites for the server. Note that TLS 1.3 ciphersuites are not configurable. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). Default: nil", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ diff --git a/pkg/kubelet/apis/config/types.go b/pkg/kubelet/apis/config/types.go index e0a30fe26db..81992b38a4a 100644 --- a/pkg/kubelet/apis/config/types.go +++ b/pkg/kubelet/apis/config/types.go @@ -123,6 +123,7 @@ type KubeletConfiguration struct { // tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile TLSPrivateKeyFile string // TLSCipherSuites is the list of allowed cipher suites for the server. + // Note that TLS 1.3 ciphersuites are not configurable. // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). TLSCipherSuites []string // TLSMinVersion is the minimum TLS version supported. diff --git a/staging/src/k8s.io/kubelet/config/v1beta1/types.go b/staging/src/k8s.io/kubelet/config/v1beta1/types.go index 79bca2b3459..09d7e7af763 100644 --- a/staging/src/k8s.io/kubelet/config/v1beta1/types.go +++ b/staging/src/k8s.io/kubelet/config/v1beta1/types.go @@ -150,6 +150,7 @@ type KubeletConfiguration struct { // +optional TLSPrivateKeyFile string `json:"tlsPrivateKeyFile,omitempty"` // tlsCipherSuites is the list of allowed cipher suites for the server. + // Note that TLS 1.3 ciphersuites are not configurable. // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). // Default: nil // +optional From fabf1cba947a8b4be4396829773229868fef4670 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Thu, 2 Feb 2023 17:02:38 +0100 Subject: [PATCH 2/3] Add warning about TLS 1.3 cipher suites --- cmd/kubelet/app/server.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 12c641048cd..aba7e500542 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -1060,6 +1060,12 @@ func InitializeTLS(kf *options.KubeletFlags, kc *kubeletconfiginternal.KubeletCo return nil, err } + if minTLSVersion == tls.VersionTLS13 { + if len(tlsCipherSuites) != 0 { + klog.Warning("TLS 1.3 cipher suites are not configurable, ignoring --tls-cipher-suites") + } + } + tlsOptions := &server.TLSOptions{ Config: &tls.Config{ MinVersion: minTLSVersion, From 77692f1b1c5da7c6032a3d7f31af2ea76928e4d1 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Wed, 8 Feb 2023 17:46:18 +0100 Subject: [PATCH 3/3] fix linting --- cmd/kubelet/app/server.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index aba7e500542..9e9f930a3ed 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -1062,7 +1062,7 @@ func InitializeTLS(kf *options.KubeletFlags, kc *kubeletconfiginternal.KubeletCo if minTLSVersion == tls.VersionTLS13 { if len(tlsCipherSuites) != 0 { - klog.Warning("TLS 1.3 cipher suites are not configurable, ignoring --tls-cipher-suites") + klog.InfoS("Warning: TLS 1.3 cipher suites are not configurable, ignoring --tls-cipher-suites") } }