-If they ask us to write the secret key value in a file , Do we need to write the encoded value or decoded value ( They haven’t mentioned anything)
-If they ask us to delete the all SA except mentioned one, Do we need to delete the default service account as well ? ( They haven’t mentioned anything)
QQ: -If they ask us to write the secret key value in a file , Do we need to writ . . .
- Should be decoded format, write a base64 string doesn’t make much sense.
- default should not be deleted, even you try to do that, it will be auto created again.
One more Q, Allowing the specific ciphers between API server and etc means
--tls-cipher-suites on API manifest and
--cipher-suites on etcd manifest right ? @Trung Tran
I have no idea on that!
@Srinivas Padala I have recently attempted my exam i had that question coming in
I got it too, verifying if this is the right way too do
yes me too, I got this question in both my attempts and I was wrong.
Infact the answer lies in running a kube-bench scan. I did a scan with kube-bench on my local K8s cluster and I could see this
1.2.35 Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter. --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM _SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM _SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM _SHA384
The fact, it might have been related to ETCD and API-SERVER.
--tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used. Preferred values: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384. Insecure values: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_RC4_128_SHA.
--cipher-suites: Comma-separated list of supported TLS cipher suites between server/client and peers (empty will be auto-populated by Go). Available from v3.2.22+, v3.3.7+, and v3.4+.
Also kubelet can be configured to use it :
tlsCipherSuites string tlsCipherSuites is the list of allowed cipher suites for the server. Values are from tls package constants (<https://golang.org/pkg/crypto/tls/#pkg-constants>). Default: nil
hey @Srinivas Padala @Andrej Kohut even i got this question
can you provide more insight on what needs to be done?
i skipped it actually as i was not aware of it
Hey @Niroop Janagoudar, What I know is we need to put
--tls-cipher-suites for api-server spec and
--cipher-suites for etcd spec with respective values.
In case if you need it for kubelet as well, You need to put
tlsCipherSuites in /var/lib/kubelet/config.yaml and restart kubelet
okay let me visit the docs
Thanks for this information !!
@Niroop Janagoudar, for the tls question, just run kube-bench on the master node and you will see the CIS recommendation of what needs to be done. The question was actually related to kube-bench
ohh okay so running the CIS Benchmark and then modify corresponding api-server, etcd config yaml
if required kubelet as well
I would stay clear of the kubelet unless mentioned as you risk the cluster not coming up at all