StarlingX

  1. Bug #2054813
  2. Comment #4

Comment 4 for bug 2054813

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/c/starlingx/ansible-playbooks/+/910888
Committed: https://opendev.org/starlingx/ansible-playbooks/commit/1bb2f41f4567f844e4999e4a3641c91acd6b2ca2
Submitter: "Zuul (22348)"
Branch: master

commit 1bb2f41f4567f844e4999e4a3641c91acd6b2ca2
Author: Karla Felix <email address hidden>
Date: Mon Mar 4 07:23:49 2024 -0300

    Removing weak ciphers from kube-apiserver

    This commit will remove the support for ciphers considered
    weak based on the NIST list.

    All the ciphers are present in kube-apiserver documentation:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_AES_128_GCM_SHA256
    - TLS_AES_256_GCM_SHA384

    Test Plan:

    PASS: Run build-pkgs -c -p playbookconfig
    PASS: Run build-image
    PASS: Run a fresh install and verify if the cipher-suites are
          present in kube-apiserver.yaml.
    PASS: Run nmap and verify if only listed ciphers are returned.
    PASS: Run bootstrap and unlock and verify if k8s is healthy.

    Closes-Bug: 2054813

    Change-Id: Icf61080a3bd981c5c3383834b2cbf10ce424492b
    Signed-off-by: Karla Felix <email address hidden>