TLS security profiles provide a way for servers to regulate which ciphers a client can use when connecting to the server. This ensures that OpenShift Container Platform components use cryptographic libraries that do not allow known insecure protocols, ciphers, or algorithms.
Cluster administrators can choose which TLS security profile to use for each of the following components:
the Ingress Controller
the control plane
This includes the Kubernetes API server, Kubernetes controller manager, Kubernetes scheduler, OpenShift API server, OpenShift OAuth API server, OpenShift OAuth server, and etcd.
the kubelet, when it acts as an HTTP server for the Kubernetes API server
You can use a TLS (Transport Layer Security) security profile to define which TLS ciphers are required by various OpenShift Container Platform components. The OpenShift Container Platform TLS security profiles are based on Mozilla recommended configurations.
You can specify one of the following TLS security profiles for each component:
| Profile | Description | ||
|---|---|---|---|
|
This profile is intended for use with legacy clients or libraries. The profile is based on the Old backward compatibility recommended configuration. The
|
||
|
This profile is the recommended configuration for the majority of clients. It is the default TLS security profile for the Ingress Controller, kubelet, and control plane. The profile is based on the Intermediate compatibility recommended configuration. The |
||
|
This profile is intended for use with modern clients that have no need for backwards compatibility. This profile is based on the Modern compatibility recommended configuration. The |
||
|
This profile allows you to define the TLS version and ciphers to use.
|
|
When using one of the predefined profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade to release X.Y.Z+1 might cause a new profile configuration to be applied, resulting in a rollout. |
You can view the minimum TLS version and ciphers for the predefined TLS security profiles for each of the following components: Ingress Controller, control plane, and kubelet.
|
The effective configuration of minimum TLS version and list of ciphers for a profile might differ between components. |
View details for a specific TLS security profile:
$ oc explain <component>.spec.tlsSecurityProfile.<profile> (1)| 1 | For <component>, specify ingresscontroller, apiserver, or kubeletconfig. For <profile>, specify old, intermediate, or custom. |
For example, to check the ciphers included for the intermediate profile for the control plane:
$ oc explain apiserver.spec.tlsSecurityProfile.intermediateKIND: APIServer
VERSION: config.openshift.io/v1
DESCRIPTION:
intermediate is a TLS security profile based on:
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
and looks like this (yaml):
ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 -
TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 -
ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 -
ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 -
ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 -
DHE-RSA-AES256-GCM-SHA384 minTLSVersion: TLSv1.2View all details for the tlsSecurityProfile field of a component:
$ oc explain <component>.spec.tlsSecurityProfile (1)| 1 | For <component>, specify ingresscontroller, apiserver, or kubeletconfig. |
For example, to check all details for the tlsSecurityProfile field for the Ingress Controller:
$ oc explain ingresscontroller.spec.tlsSecurityProfileKIND: IngressController
VERSION: operator.openshift.io/v1
RESOURCE: tlsSecurityProfile <Object>
DESCRIPTION:
...
FIELDS:
custom <>
custom is a user-defined TLS security profile. Be extremely careful using a
custom profile as invalid configurations can be catastrophic. An example
custom profile looks like this:
ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 -
ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion:
TLSv1.1
intermediate <>
intermediate is a TLS security profile based on:
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
and looks like this (yaml):
... (1)
modern <>
modern is a TLS security profile based on:
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility and
looks like this (yaml):
... (2)
NOTE: Currently unsupported.
old <>
old is a TLS security profile based on:
https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
and looks like this (yaml):
... (3)
type <string>
...| 1 | Lists ciphers and minimum version for the intermediate profile here. |
| 2 | Lists ciphers and minimum version for the modern profile here. |
| 3 | Lists ciphers and minimum version for the old profile here. |
To configure a TLS security profile for an Ingress Controller, edit the IngressController custom resource (CR) to specify a predefined or custom TLS security profile. If a TLS security profile is not configured, the default value is based on the TLS security profile set for the API server.
IngressController CR that configures the Old TLS security profileapiVersion: operator.openshift.io/v1
kind: IngressController
...
spec:
tlsSecurityProfile:
old: {}
type: Old
...The TLS security profile defines the minimum TLS version and the TLS ciphers for TLS connections for Ingress Controllers.
You can see the ciphers and the minimum TLS version of the configured TLS security profile in the IngressController custom resource (CR) under Status.Tls Profile and the configured TLS security profile under Spec.Tls Security Profile. For the Custom TLS security profile, the specific ciphers and minimum TLS version are listed under both parameters.
|
The HAProxy Ingress Controller image supports TLS The Ingress Operator also converts the TLS |
You have access to the cluster as a user with the cluster-admin role.
Edit the IngressController CR in the openshift-ingress-operator project to configure the TLS security profile:
$ oc edit IngressController default -n openshift-ingress-operatorAdd the spec.tlsSecurityProfile field:
IngressController CR for a Custom profileapiVersion: operator.openshift.io/v1
kind: IngressController
...
spec:
tlsSecurityProfile:
type: Custom (1)
custom: (2)
ciphers: (3)
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
minTLSVersion: VersionTLS11
...| 1 | Specify the TLS security profile type (Old, Intermediate, or Custom). The default is Intermediate. |
| 2 | Specify the appropriate field for the selected type:
|
| 3 | For the custom type, specify a list of TLS ciphers and minimum accepted TLS version. |
Save the file to apply the changes.
Verify that the profile is set in the IngressController CR:
$ oc describe IngressController default -n openshift-ingress-operatorName: default
Namespace: openshift-ingress-operator
Labels: <none>
Annotations: <none>
API Version: operator.openshift.io/v1
Kind: IngressController
...
Spec:
...
Tls Security Profile:
Custom:
Ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
Min TLS Version: VersionTLS11
Type: Custom
...To configure a TLS security profile for the control plane, edit the APIServer custom resource (CR) to specify a predefined or custom TLS security profile. Setting the TLS security profile in the APIServer CR propagates the setting to the following control plane components:
Kubernetes API server
Kubernetes controller manager
Kubernetes scheduler
OpenShift API server
OpenShift OAuth API server
OpenShift OAuth server
etcd
If a TLS security profile is not configured, the default TLS security profile is Intermediate.
|
The default TLS security profile for the Ingress Controller is based on the TLS security profile set for the API server. |
APIServer CR that configures the Old TLS security profileapiVersion: config.openshift.io/v1
kind: APIServer
...
spec:
tlsSecurityProfile:
old: {}
type: Old
...The TLS security profile defines the minimum TLS version and the TLS ciphers required to communicate with the control plane components.
You can see the configured TLS security profile in the APIServer custom resource (CR) under Spec.Tls Security Profile. For the Custom TLS security profile, the specific ciphers and minimum TLS version are listed.
|
The control plane does not support TLS |
You have access to the cluster as a user with the cluster-admin role.
Edit the default APIServer CR to configure the TLS security profile:
$ oc edit APIServer clusterAdd the spec.tlsSecurityProfile field:
APIServer CR for a Custom profileapiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
spec:
tlsSecurityProfile:
type: Custom (1)
custom: (2)
ciphers: (3)
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
minTLSVersion: VersionTLS11| 1 | Specify the TLS security profile type (Old, Intermediate, or Custom). The default is Intermediate. |
| 2 | Specify the appropriate field for the selected type:
|
| 3 | For the custom type, specify a list of TLS ciphers and minimum accepted TLS version. |
Save the file to apply the changes.
Verify that the TLS security profile is set in the APIServer CR:
$ oc describe apiserver clusterName: cluster
Namespace:
...
API Version: config.openshift.io/v1
Kind: APIServer
...
Spec:
Audit:
Profile: Default
Tls Security Profile:
Custom:
Ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
Min TLS Version: VersionTLS11
Type: Custom
...Verify that the TLS security profile is set in the etcd CR:
$ oc describe etcd clusterName: cluster
Namespace:
...
API Version: operator.openshift.io/v1
Kind: Etcd
...
Spec:
Log Level: Normal
Management State: Managed
Observed Config:
Serving Info:
Cipher Suites:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Min TLS Version: VersionTLS12
...To configure a TLS security profile for the kubelet when it is acting as an HTTP server, create a KubeletConfig custom resource (CR) to specify a predefined or custom TLS security profile for specific nodes. If a TLS security profile is not configured, the default TLS security profile is Intermediate.
The kubelet uses its HTTP/GRPC server to communicate with the Kubernetes API server, which sends commands to pods, gathers logs, and run exec commands on pods through the kubelet.
KubeletConfig CR that configures the Old TLS security profile on worker nodesapiVersion: config.openshift.io/v1
kind: KubeletConfig
...
spec:
tlsSecurityProfile:
old: {}
type: Old
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/worker: ""You can see the ciphers and the minimum TLS version of the configured TLS security profile in the kubelet.conf file on a configured node.
You have access to the cluster as a user with the cluster-admin role.
Create a KubeletConfig CR to configure the TLS security profile:
KubeletConfig CR for a Custom profileapiVersion: machineconfiguration.openshift.io/v1
kind: KubeletConfig
metadata:
name: set-kubelet-tls-security-profile
spec:
tlsSecurityProfile:
type: Custom (1)
custom: (2)
ciphers: (3)
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
minTLSVersion: VersionTLS11
machineConfigPoolSelector:
matchLabels:
pools.operator.machineconfiguration.openshift.io/worker: "" (4)| 1 | Specify the TLS security profile type (Old, Intermediate, or Custom). The default is Intermediate. |
| 2 | Specify the appropriate field for the selected type:
|
| 3 | For the custom type, specify a list of TLS ciphers and minimum accepted TLS version. |
| 4 | Optional: Specify the machine config pool label for the nodes you want to apply the TLS security profile. |
Create the KubeletConfig object:
$ oc create -f <filename>Depending on the number of worker nodes in the cluster, wait for the configured nodes to be rebooted one by one.
To verify that the profile is set, perform the following steps after the nodes are in the Ready state:
Start a debug session for a configured node:
$ oc debug node/<node_name>Set /host as the root directory within the debug shell:
sh-4.4# chroot /hostView the kubelet.conf file:
sh-4.4# cat /etc/kubernetes/kubelet.confkind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
...
"tlsCipherSuites": [
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
],
"tlsMinVersion": "VersionTLS12",