Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PMK-6474] : Restrict TLS cipher suites for kube-rbac-proxy container #213

Merged
merged 2 commits into from
Jul 16, 2024
Merged

[PMK-6474] : Restrict TLS cipher suites for kube-rbac-proxy container #213

merged 2 commits into from
Jul 16, 2024

Conversation

cruizen
Copy link
Contributor

@cruizen cruizen commented Jul 11, 2024
edited by jira bot
Loading

  • Fixes PMK-6474
  • Use the image quay.io/brancz/kube-rbac-proxy:v0.18.0 consistently instead of older versions from gcr.io/kubebuilder/kube-rbac-proxy
  • Update README.md with minor markdown syntax fixes - and added a how to build section
  • Update whereabouts image to a new patch with security fixes
  • Fix the security issue flagged by network vulnerability scanning tools by setting the minimum version of TLS to v1.2 and restricting the set of TLS cipher suites to the following secure ciphers
        - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - --tls-min-version=VersionTLS12

On updating the addon-operator configuration to use the updated images, the following output shows the relevant pods running

root@test-pf9-qbert-bare-os-u20-3309216-470-1:~# kubectl get pod -n luigi-system luigi-controller-manager-6665fbdbdc-rjjh2 -oyaml | grep -i image:
    image: quay.io/brancz/kube-rbac-proxy:v0.18.0
    image: docker.io/platform9/luigi-plugins:v0.5.6
    image: quay.io/brancz/kube-rbac-proxy:v0.18.0
    image: docker.io/platform9/luigi-plugins:v0.5.6

root@test-pf9-qbert-bare-os-u20-3309216-470-1:~# kubectl get pod -n luigi-system  whereabouts-22gm9 -oyaml | grep -i image:
    image: docker.io/platform9/whereabouts:v0.6.3-pmk-3299438
    image: docker.io/platform9/whereabouts:v0.6.3-pmk-3299438

root@test-pf9-qbert-bare-os-u20-3309216-470-1:~# kubectl get pod -n hostplumber hostplumber-controller-manager-2bvwp -oyaml | grep -i image:
    image: quay.io/brancz/kube-rbac-proxy:v0.18.0
    image: docker.io/platform9/hostplumber:v0.5.6
    image: quay.io/brancz/kube-rbac-proxy:v0.18.0
    image: docker.io/platform9/hostplumber:v0.5.6

root@test-pf9-qbert-bare-os-u20-3309216-470-1:~# kubectl get pods -A | grep -i plumber
hostplumber            hostplumber-controller-manager-2bvwp        2/2     Running   0          19h
hostplumber            hostplumber-controller-manager-ftgqd        2/2     Running   0          19h
hostplumber            hostplumber-controller-manager-hch5n        2/2     Running   0          19h
hostplumber            hostplumber-controller-manager-jzw5c        2/2     Running   0          19h


root@test-pf9-qbert-bare-os-u20-3309216-470-1:~# kubectl get pods -A | grep -i luigi
luigi-system           cert-manager-9dfd8cdc6-pflwh                1/1     Running   0          20h
luigi-system           cert-manager-cainjector-cc668794-mz6fd      1/1     Running   0          20h
luigi-system           cert-manager-webhook-68447b9c99-pxqn4       1/1     Running   0          20h
luigi-system           luigi-controller-manager-6665fbdbdc-rjjh2   2/2     Running   0          20h
luigi-system           whereabouts-22gm9                           1/1     Running   0          20h
luigi-system           whereabouts-46779                           1/1     Running   0          20h
luigi-system           whereabouts-fbxl6                           1/1     Running   0          20h
luigi-system           whereabouts-pz6x5                           1/1     Running   0          20h
luigi-system           whereabouts-rxqsm                           1/1     Running   0          20h


root@test-pf9-qbert-bare-os-u20-3309216-470-1:~# nmap --script ssl-enum-ciphers -p 8443 localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2024-07-14 16:33 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000098s latency).

PORT     STATE SERVICE
8443/tcp open  https-alt
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds

@cruizen cruizen force-pushed the private/v0.5.6/trilok/PMK-6474 branch from 84b5caf to 0770a3f Compare July 11, 2024 19:17
@cruizen cruizen mentioned this pull request Jul 16, 2024
Open
@cruizen cruizen merged commit 0685a84 into v0.5.6 Jul 16, 2024
2 checks passed
This was referenced Jul 16, 2024
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vedantjoshi84 vedantjoshi84 vedantjoshi84 approved these changes

@poojaghumre poojaghumre Awaiting requested review from poojaghumre

@shweta50 shweta50 Awaiting requested review from shweta50

@jayanth-tjvrr jayanth-tjvrr Awaiting requested review from jayanth-tjvrr

@manasabsv26 manasabsv26 Awaiting requested review from manasabsv26

@deepaksahu-pf9 deepaksahu-pf9 Awaiting requested review from deepaksahu-pf9

@srinivaschavan srinivaschavan Awaiting requested review from srinivaschavan

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cruizen @vedantjoshi84