upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-05-17 03:19:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/test
History
Kubernetes Submit Queue b7100f1ee7
Merge pull request #48859 from victorgp/master 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Support for custom tls cipher suites in api server and kubelet

**What this PR does / why we need it**:
This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
Several users have requested this given that some default ciphers are vulnerable.
There is a discussion in #41038 of how to implement this. The options are:
- Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
- Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.

I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).

**Which issue this PR fixes** 
fixes #41038 

**Special notes for your reviewer**:
The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the `type CipherSuitesFlag` to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
If you think there is another way to implement this, let me know.

If you want to test it out, this is a ciphers combination i tested without the weak ones:

```
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
```

If this is merged i will implement the same for the Kubelet.

**Release note**:
```release-note
kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
```
2018-01-17 17:46:40 -08:00
..
conformance
e2e Merge pull request #55595 from guangxuli/move_token_constant_and_helper 2018-01-17 10:22:25 -08:00
e2e_node Merge pull request #58323 from miaoyq/benchmark-non-docker-specific 2018-01-17 14:17:26 -08:00
fixtures
images
integration Merge pull request #48859 from victorgp/master 2018-01-17 17:46:40 -08:00
kubemark
list
soak
utils
BUILD
OWNERS
test_owners.csv
test_owners.json