Note: to enable this control run Kubescape with host sensor (see here)
TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.
Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
The set of cryptographic ciphers currently considered secure is the following:
Run the following command on each node:
ps -ef | grep kubelet
--tls-cipher-suites argument is present, ensure it only contains values included in this set.
If it is not present check that there is a Kubelet config file specified by
--config, and that file sets
TLSCipherSuites: to only include values from this set.
If using a Kubelet config file, edit the file to set
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 or to a subset of these values.
If using executable arguments, edit the kubelet service file
/etc/kubernetes/kubelet.conf on each worker node and set the
--tls-cipher-suites parameter as follows, or to a subset of these values.
Based on your system, restart the
kubelet service. For example:
systemctl daemon-reload systemctl restart kubelet.service
Kubelet clients that cannot support modern cryptographic ciphers will not be able to make connections to the Kubelet API.
By default the Kubernetes API server supports a wide range of TLS ciphers
Updated 12 days ago