Red Hat Summit9.2. Configuring TLS security profiles
Use transport layer security (TLS) protocols to help prevent known insecure protocols, ciphers, or algorithms from accessing the applications you run on MicroShift.
9.2.1. Using TLS with MicroShift
Transport layer security (TLS) profiles provide a way for servers to regulate which ciphers a client can use when connecting to the server. Using TLS helps to ensure that MicroShift applications use cryptographic libraries that do not allow known insecure protocols, ciphers, or algorithms. You can use either the TLS 1.2 or TLS 1.3 security profiles with MicroShift.
MicroShift API server cipher suites apply automatically to the following internal control plane components:
- API server
- Kubelet
- Kube controller manager
- Kube scheduler
- etcd
- Route controller manager
The API server uses the configured minimum TLS version and the associated cipher suites. If you leave the cipher suites parameter empty, the defaults for the configured minimum version are used automatically.
Default cipher suites for TLS 1.2
The following list specifies the default cipher suites for TLS 1.2:
-
TLS_AES_128_GCM_SHA256 -
TLS_AES_256_GCM_SHA384 -
TLS_CHACHA20_POLY1305_SHA256 -
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Default cipher suites for TLS 1.3
The following list specifies the default cipher suites for TLS 1.3:
-
TLS_AES_128_GCM_SHA256 -
TLS_AES_256_GCM_SHA384 -
TLS_CHACHA20_POLY1305_SHA256
9.2.2. Configuring TLS for MicroShift
You can choose to use either the TLS 1.2 or TLS 1.3 security profiles with MicroShift for system hardening.
Prerequisites
- You have access to the node as a root user.
- MicroShift has either not started for the first time, or is stopped.
-
The OpenShift CLI (
oc) is installed. - The certificate authority has issued the custom certificates (CAs).
Procedure
-
Make a copy of the provided
config.yaml.defaultfile in the/etc/microshift/directory, renaming itconfig.yaml. Keep the new MicroShift
config.yamlin the/etc/microshift/directory. Yourconfig.yamlfile is read every time the MicroShift service starts.注記After you create it, the
config.yamlfile takes precedence over built-in settings.- Optional: Use a configuration snippet if you are using an existing MicroShift YAML. See "Using configuration snippets" in the Additional resources section for more information.
Replace the default values in the
tlssection of the MicroShift YAML with your valid values.Example TLS 1.2 configuration
apiServer: # ... tls: cipherSuites:1 - <cipher_suite_1>2 - ... minVersion: VersionTLS123 # ...- 1
- Defaults to the suites of the configured
minVersion. IfminVersionis not configured, the default value is TLS 1.2. - 2
- Specify the cipher suites you want to use from the list of supported cipher suites. If you do not configure this list, all of the supported cipher suites are used. All clients connecting to the API server must support the configured cipher suites or the connections fail during the TLS handshake phase. Be sure to add the CA certificate bundle to the list of CA certificates that the TLS client or server trusts.
- 3
- Specify
VersionTLS12orVersionTLS13.
重要When you choose TLS 1.3 as the minimum TLS version, only the default MicroShift cipher suites can be used. Additional cipher suites are not configurable. If other cipher suites to use with TLS 1.3 are configured, those suites are ignored and overwritten by the MicroShift defaults.
Complete any other additional configurations that you require, then restart MicroShift by running the following command:
$ sudo systemctl restart microshift
9.2.2.1. Default cipher suites
Default cipher suites are included with MicroShift for both TLS 1.2 and TLS 1.3. The cipher suites for TLS 1.3 cannot be customized.
Default cipher suites for TLS 1.2
The following list specifies the default cipher suites for TLS 1.2:
-
TLS_AES_128_GCM_SHA256 -
TLS_AES_256_GCM_SHA384 -
TLS_CHACHA20_POLY1305_SHA256 -
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 -
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 -
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Default cipher suites for TLS 1.3
The following list specifies the default cipher suites for TLS 1.3:
-
TLS_AES_128_GCM_SHA256 -
TLS_AES_256_GCM_SHA384 -
TLS_CHACHA20_POLY1305_SHA256
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}