Srinivas Padala:
QQ:
-If they ask us to write the secret key value in a file , Do we need to write the encoded value or decoded value ( They haven’t mentioned anything)
-If they ask us to delete the all SA except mentioned one, Do we need to delete the default service account as well ? ( They haven’t mentioned anything)
Trung Tran:
- Should be decoded format, write a base64 string doesn’t make much sense.
- default should not be deleted, even you try to do that, it will be auto created again.
Srinivas Padala:
Thank you
Srinivas Padala:
One more Q, Allowing the specific ciphers between API server and etc means
Adding --tls-cipher-suites on API manifest and --cipher-suites on etcd manifest right ? @Trung Tran
Trung Tran:
I have no idea on that!
Srinivas Padala:
https://www.ibm.com/docs/ru/cloud-private/3.1.2?topic=installation-specifying-tls-ciphers-etcd-kubernetes
Srinivas Padala:
I got it too, verifying if this is the right way too do
Ansuman Roy:
yes me too, I got this question in both my attempts and I was wrong.
Ansuman Roy:
Infact the answer lies in running a kube-bench scan. I did a scan with kube-bench on my local K8s cluster and I could see this
1.2.35 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml
on the master node and set the below parameter.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM
_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM
_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM
_SHA384
Andrej Kohut:
The fact, it might have been related to ETCD and API-SERVER.
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
--tls-cipher-suites strings
Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384.
Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
--cipher-suites: Comma-separated list of supported TLS cipher suites between server/client and peers (empty will be auto-populated by Go). Available from v3.2.22+, v3.3.7+, and v3.4+.
https://etcd.io/docs/v3.5/op-guide/security/
Also kubelet can be configured to use it :
https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/
tlsCipherSuites
[]string
tlsCipherSuites is the list of allowed cipher suites for the server. Values are from tls package constants (<https://golang.org/pkg/crypto/tls/#pkg-constants>). Default: nil
Niroop Janagoudar:
hey @Srinivas Padala @Andrej Kohut even i got this question
can you provide more insight on what needs to be done?
i skipped it actually as i was not aware of it
Srinivas Padala:
Hey @Niroop Janagoudar, What I know is we need to put --tls-cipher-suites for api-server spec and --cipher-suites for etcd spec with respective values.
In case if you need it for kubelet as well, You need to put tlsCipherSuites in /var/lib/kubelet/config.yaml and restart kubelet
Srinivas Padala:
https://www.ibm.com/docs/ru/cloud-private/3.1.2?topic=installation-specifying-tls-ciphers-etcd-kubernetes
Niroop Janagoudar:
okay let me visit the docs
Niroop Janagoudar:
Thanks for this information !!
Ansuman Roy:
@Niroop Janagoudar, for the tls question, just run kube-bench on the master node and you will see the CIS recommendation of what needs to be done. The question was actually related to kube-bench
Niroop Janagoudar:
ohh okay so running the CIS Benchmark and then modify corresponding api-server, etcd config yaml
Niroop Janagoudar:
if required kubelet as well
Ansuman Roy:
I would stay clear of the kubelet unless mentioned as you risk the cluster not coming up at all