• Kubernetes Submit Queue's avatar
    Merge pull request #48859 from victorgp/master · b7100f1e
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
    
    Support for custom tls cipher suites in api server and kubelet
    
    **What this PR does / why we need it**:
    This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
    Several users have requested this given that some default ciphers are vulnerable.
    There is a discussion in #41038 of how to implement this. The options are:
    - Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
    - Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.
    
    I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).
    
    **Which issue this PR fixes** 
    fixes #41038 
    
    **Special notes for your reviewer**:
    The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the `type CipherSuitesFlag` to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
    If you think there is another way to implement this, let me know.
    
    If you want to test it out, this is a ciphers combination i tested without the weak ones:
    
    ```
    TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    ```
    
    If this is merged i will implement the same for the Kubelet.
    
    **Release note**:
    ```release-note
    kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
    ```
    b7100f1e
Name
Last commit
Last update
..
api Loading commit data...
apis Loading commit data...
auth Loading commit data...
capabilities Loading commit data...
client Loading commit data...
cloudprovider Loading commit data...
controller Loading commit data...
credentialprovider Loading commit data...
features Loading commit data...
fieldpath Loading commit data...
generated Loading commit data...
kubeapiserver Loading commit data...
kubectl Loading commit data...
kubelet Loading commit data...
kubemark Loading commit data...
master Loading commit data...
printers Loading commit data...
probe Loading commit data...
proxy Loading commit data...
quota Loading commit data...
registry Loading commit data...
routes Loading commit data...
scheduler Loading commit data...
security Loading commit data...
securitycontext Loading commit data...
serviceaccount Loading commit data...
ssh Loading commit data...
util Loading commit data...
version Loading commit data...
volume Loading commit data...
watch Loading commit data...
.import-restrictions Loading commit data...
BUILD Loading commit data...
OWNERS Loading commit data...