commit 1bb2f41f4567f844e4999e4a3641c91acd6b2ca2
Author: Karla Felix <email address hidden>
Date: Mon Mar 4 07:23:49 2024 -0300
Removing weak ciphers from kube-apiserver
This commit will remove the support for ciphers considered
weak based on the NIST list.
All the ciphers are present in kube-apiserver documentation:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
Test Plan:
PASS: Run build-pkgs -c -p playbookconfig
PASS: Run build-image
PASS: Run a fresh install and verify if the cipher-suites are
present in kube-apiserver.yaml.
PASS: Run nmap and verify if only listed ciphers are returned.
PASS: Run bootstrap and unlock and verify if k8s is healthy.
Closes-Bug: 2054813
Change-Id: Icf61080a3bd981c5c3383834b2cbf10ce424492b
Signed-off-by: Karla Felix <email address hidden>
Reviewed: https:/ /review. opendev. org/c/starlingx /ansible- playbooks/ +/910888 /opendev. org/starlingx/ ansible- playbooks/ commit/ 1bb2f41f4567f84 4e4999e4a3641c9 1acd6b2ca2
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 1bb2f41f4567f84 4e4999e4a3641c9 1acd6b2ca2
Author: Karla Felix <email address hidden>
Date: Mon Mar 4 07:23:49 2024 -0300
Removing weak ciphers from kube-apiserver
This commit will remove the support for ciphers considered
weak based on the NIST list.
All the ciphers are present in kube-apiserver documentation: RSA_WITH_ AES_128_ GCM_SHA256 RSA_WITH_ AES_256_ GCM_SHA384 ECDSA_WITH_ AES_128_ GCM_SHA256 ECDSA_WITH_ AES_256_ GCM_SHA384 128_GCM_ SHA256 256_GCM_ SHA384
- TLS_ECDHE_
- TLS_ECDHE_
- TLS_ECDHE_
- TLS_ECDHE_
- TLS_AES_
- TLS_AES_
Test Plan:
PASS: Run build-pkgs -c -p playbookconfig yaml.
PASS: Run build-image
PASS: Run a fresh install and verify if the cipher-suites are
present in kube-apiserver.
PASS: Run nmap and verify if only listed ciphers are returned.
PASS: Run bootstrap and unlock and verify if k8s is healthy.
Closes-Bug: 2054813
Change-Id: Icf61080a3bd981 c5c3383834b2cbf 10ce424492b
Signed-off-by: Karla Felix <email address hidden>