12.2. 查看 TLS 安全配置集详情
您可以查看以下组件的预定义 TLS 安全配置集的最小 TLS 版本和密码:Ingress Controller、control plane 和 kubelet。
重要
最低 TLS 版本和配置集密码列表的有效配置可能因组件而异。
流程
查看特定 TLS 安全配置集的详情:
$ oc explain <component>.spec.tlsSecurityProfile.<profile> 1- 1
- 对于
<component>,指定ingresscontroller、apiserver或kubeletconfig。对于<profile>,指定old、intermediate或custom。
例如,检查 control plane 的
intermediate配置集中包含的密码:$ oc explain apiserver.spec.tlsSecurityProfile.intermediate
输出示例
KIND: APIServer VERSION: config.openshift.io/v1 DESCRIPTION: intermediate is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 and looks like this (yaml): ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 minTLSVersion: TLSv1.2查看组件的
tlsSecurityProfile字段的所有详情:$ oc explain <component>.spec.tlsSecurityProfile 1- 1
- 对于
<component>,指定ingresscontroller、apiserver或kubeletconfig。
例如,检查 Ingress Controller 的
tlsSecurityProfile字段的所有详情:$ oc explain ingresscontroller.spec.tlsSecurityProfile
输出示例
KIND: IngressController VERSION: operator.openshift.io/v1 RESOURCE: tlsSecurityProfile <Object> DESCRIPTION: ... FIELDS: custom <> custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this: ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion: TLSv1.1 intermediate <> intermediate is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 and looks like this (yaml): ... 1 modern <> modern is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility and looks like this (yaml): ... 2 NOTE: Currently unsupported. old <> old is a TLS security profile based on: https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility and looks like this (yaml): ... 3 type <string> ...
