C-0184 - Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers
Prerequisites
Run Kubescape with host sensor (see here)
Framework
cis-v1.23-t1.0.1
Severity
Medium
Description of the the issue
TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.
Related resources
What does this control test
Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
How to check it manually
The set of cryptographic ciphers currently considered secure is the following:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
Run the following command on each node:
ps -ef | grep kubelet
If the --tls-cipher-suites
argument is present, ensure it only contains values included in this set.
If it is not present check that there is a Kubelet config file specified by --config
, and that file sets TLSCipherSuites:
to only include values from this set.
Remediation
If using a Kubelet config file, edit the file to set TLSCipherSuites:
to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values.
If using executable arguments, edit the kubelet service file /etc/kubernetes/kubelet.conf
on each worker node and set the --tls-cipher-suites
parameter as follows, or to a subset of these values.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
Based on your system, restart the kubelet
service. For example:
systemctl daemon-reload
systemctl restart kubelet.service
Impact Statement
Kubelet clients that cannot support modern cryptographic ciphers will not be able to make connections to the Kubelet API.
Default Value
By default the Kubernetes API server supports a wide range of TLS ciphers
Example
No example
Updated 11 days ago