Tobias:
hi, I don’t fully understand the --tls-min-version and --tls-cipher-suites`` arguments of the api server: when these arguments are set, will that hold for *any* TLS communication of the api server, whether acting as a server, e.g. for kubectl` and acting as a client, e.g. for etcd & kubelet?
Pradhan:
-
--tls-min-version:
◦ This flag sets the minimum TLS version that the API server will accept for TLS connections.
◦ For example, if you set--tls-min-version=VersionTLS12, the API server will only accept TLS connections that are version 1.2 or higher. This can be crucial for ensuring that older, less secure TLS versions are not used. -
--tls-cipher-suites:
◦ This flag allows you to specify a list of cipher suites that the API server will accept for TLS connections.
◦ Cipher suites determine the encryption algorithms used during the TLS handshake process. Specifying this list allows you to exclude weaker cipher suites and ensure stronger encryption for TLS connections.
Now to answer your question:
When APISERVER acts as a server, these settings directly dictate the TLS parameters for these connections.
When APISERVER acts as a client, these settings doesnt affect as APISERVER as a cclient would have its own client side TLS configuration.
Pradhan:
Ideally you would be concerned about this flag “–tls-min-version” or “–tls-cipher-suites” when a weaker cipher or lower version of TLS is specified and it been detected by your cyber security team
Tobias:
thx for the clarification!