Restrict weak CBC-mode ciphers¶
The instructions herein offer detail on how to disable weak CBC-mode TLS ciphers, and how to enforce the use of stronger and more modern cipher suites across your MKE cluster.
Enable hardening and strong TLS cipher suites¶
To enable strong TLS cipher enforcement, set the
hardening_configuration.hardening_enabled and
hardening_configuration.use_strong_tls_ciphers parameters of MKE
configuration file to true.
[hardening_configuration]
hardening_enabled = true
use_strong_tls_ciphers = true
The hardening_enabled parameter must be set to true to enable the
use_strong_tls_ciphers parameter, which restricts allowed cipher
suites for:
cipher_suites_for_kube_api_servercipher_suites_for_kubeletcipher_suites_for_etcd_server
The use of these parameters ensures the exclusion of weak CBC-mode ciphers from all major Kubernetes control plane components.
Configure the Kubernetes controller manager cipher suites¶
Note
Starting with MKE 3.8.10, with the exception of Kubernetes controller manager, weak CBC-mode ciphers are removed by default from all MKE components. Thus, configurations detailed below are all that is needed to fully protect your MKE cluster from CBC-mode cipher usage.
As the Kubernetes controller manager does not inherit the strict cipher list, you must explicitly set the cipher configuration through the use of custom flags.
To enforce the desired cipher list, specify the --tls-cipher-suites
flag using the cluster_config.custom_kube_controller_manager_flags option
in your MKE configuration file.
Example:
[cluster_config]
custom_kube_controller_manager_flags = [
"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]