参考:https://www.ibm.com/docs/ru/cloud-private/3.1.2?topic=installation-specifying-tls-ciphers-etcd-kubernetes
问题:k8s 集群被扫描出SSL/TLS协议信息泄露漏洞
解决方案:指定各组件的 cipher-suites
kube-controller
问题验证:
[root@node-2 ~]# nmap -sV -p 10257 --script ssl-enum-ciphers 10.1.69.125|grep -E 'DEA|DES'
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
修改启动脚本:/etc/systemd/system/kube-controller-manager.service
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
重启服务:systemctl daemon-reload && systemctl restart kube-controller-manager.service
etcd
修改启动脚本:/etc/systemd/system/etcd.service
--cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
重启服务:systemctl daemon-reload && systemctl restart etcd.service
kube-apiserver
修改启动脚本:/etc/systemd/system/kube-apiserver.service
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
重启服务:systemctl daemon-reload && systemctl restart kube-apiserver.service
kubelet
问题验证:
[root@node-2 ~]# nmap -sV -p 10250 --script ssl-enum-ciphers 10.1.69.125|grep -E 'DEA|DES'
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
修改启动脚本:/etc/systemd/system/kubelet.service
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
重启服务:systemctl daemon-reload && systemctl restart kubelet.service
网友评论