Enabling TLS security profiles for the kubelet

You can use a TLS (Transport Layer Security) security profile to define which TLS ciphers are required by the kubelet when it is acting as an HTTP server. The kubelet uses its HTTP/GRPC server to communicate with the Kubernetes API server, which sends commands to pods, gathers logs, and run exec commands on pods through the kubelet.

A TLS security profile defines the TLS ciphers that the Kubernetes API server must use when connecting with the kubelet to protect communication between the kubelet and the Kubernetes API server.

By default, when the kubelet acts as a client with the Kubernetes API server, it automatically negotiates the TLS parameters with the API server.

Understanding TLS security profiles

You can use a TLS (Transport Layer Security) security profile to define which TLS ciphers are required by various OKD components. The OKD TLS security profiles are based on Mozilla recommended configurations.

You can specify one of the following TLS security profiles for each component:

Table 1. TLS security profiles
ProfileDescription

Old

This profile is intended for use with legacy clients or libraries. The profile is based on the Old backward compatibility recommended configuration.

The Old profile requires a minimum TLS version of 1.0.

For the Ingress Controller, the minimum TLS version is converted from 1.0 to 1.1.

Intermediate

This profile is the recommended configuration for the majority of clients. It is the default TLS security profile for the Ingress Controller, kubelet, and control plane. The profile is based on the Intermediate compatibility recommended configuration.

The Intermediate profile requires a minimum TLS version of 1.2.

Modern

This profile is intended for use with modern clients that have no need for backwards compatibility. This profile is based on the Modern compatibility recommended configuration.

The Modern profile requires a minimum TLS version of 1.3.

In OKD 4.6, 4.7, and 4.8, the Modern profile is unsupported. If selected, the Intermediate profile is enabled.

The Modern profile is currently not supported.

Custom

This profile allows you to define the TLS version and ciphers to use.

Use caution when using a Custom profile, because invalid configurations can cause problems.

OKD router enables Red Hat-distributed OpenSSL default set of TLS 1.3 cipher suites. Your cluster might accept TLS 1.3 connections and cipher suites, even though TLS 1.3 is unsupported in OKD 4.6, 4.7, and 4.8.

When using one of the predefined profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade to release X.Y.Z+1 might cause a new profile configuration to be applied, resulting in a rollout.

Configuring the TLS security profile for the kubelet

To configure a TLS security profile for the kubelet when it is acting as an HTTP server, create a KubeletConfig custom resource (CR) to specify a predefined or custom TLS security profile for specific nodes. If a TLS security profile is not configured, the default TLS security profile is Intermediate.

Sample KubeletConfig CR that configures the Old TLS security profile on worker nodes

  1. apiVersion: config.openshift.io/v1
  2. kind: KubeletConfig
  3. ...
  4. spec:
  5. tlsSecurityProfile:
  6. old: {}
  7. type: Old
  8. machineConfigPoolSelector:
  9. matchLabels:
  10. pools.operator.machineconfiguration.openshift.io/worker: ""

You can see the ciphers and the minimum TLS version of the configured TLS security profile in the kubelet.conf file on a configured node.

The kubelet does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The kubelet converts the Modern profile to Intermediate.

The kubelet also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create a KubeletConfig CR to configure the TLS security profile:

    Sample KubeletConfig CR for a Custom profile

    1. apiVersion: machineconfiguration.openshift.io/v1
    2. kind: KubeletConfig
    3. metadata:
    4. name: set-kubelet-tls-security-profile
    5. spec:
    6. tlsSecurityProfile:
    7. type: Custom (1)
    8. custom: (2)
    9. ciphers: (3)
    10. - ECDHE-ECDSA-CHACHA20-POLY1305
    11. - ECDHE-RSA-CHACHA20-POLY1305
    12. - ECDHE-RSA-AES128-GCM-SHA256
    13. - ECDHE-ECDSA-AES128-GCM-SHA256
    14. minTLSVersion: VersionTLS11
    15. machineConfigPoolSelector:
    16. matchLabels:
    17. pools.operator.machineconfiguration.openshift.io/worker: "" (4)
    1Specify the TLS security profile type (Old, Intermediate, or Custom). The default is Intermediate.
    2Specify the appropriate field for the selected type:
    • old: {}

    • intermediate: {}

    • custom:

    3For the custom type, specify a list of TLS ciphers and minimum accepted TLS version.
    4Optional: Specify the machine config pool label for the nodes you want to apply the TLS security profile.
  2. Create the KubeletConfig object:

    1. $ oc create -f <filename>

    Depending on the number of worker nodes in the cluster, wait for the configured nodes to be rebooted one by one.

Verification

To verify that the profile is set, perform the following steps after the nodes are in the Ready state:

  1. Start a debug session for a configured node:

    1. $ oc debug node/<node_name>
  2. Set /host as the root directory within the debug shell:

    1. sh-4.4# chroot /host
  3. View the kubelet.conf file:

    1. sh-4.4# cat /etc/kubernetes/kubelet.conf

    Example output

    1. kind: KubeletConfiguration
    2. apiVersion: kubelet.config.k8s.io/v1beta1
    3. ...
    4. "tlsCipherSuites": [
    5. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    6. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    7. "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    8. "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    9. "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
    10. "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
    11. ],
    12. "tlsMinVersion": "VersionTLS12",