Add TLS min version flag #58528
Add TLS min version flag #58528
Conversation
k8s-ci-robot
added
sig/node
cmd/kubelet/app/options/options.go
Outdated
| fs.StringVar(&c.TLSMinVersion, "tls-min-version", c.TLSMinVersion, | ||
| "Minimum TLS version supported. "+ | ||
| "Value must match version names from https://golang.org/pkg/crypto/tls/#pkg-constants. "+ | ||
| "If omitted, the default Go cipher suites will be used") |
There was a problem hiding this comment.
don't promise a default... we want the freedom to change this as needed
cmd/kubelet/app/server.go
Outdated
| // Can't use TLSv1.1 because of RC4 cipher usage | ||
| minTLSVersion := uint16(tls.VersionTLS12) | ||
| if len(kc.TLSMinVersion) > 0 { | ||
| minTLSVersion, err = flag.TLSCipherSuite(kc.TLSMinVersion) |
There was a problem hiding this comment.
this isn't a cipher suite, it's a TLS version... need a new TLSVersion func
| } | ||
| ciphersIntSlice = append(ciphersIntSlice, intValue) | ||
| } | ||
| return ciphersIntSlice, nil | ||
| } | ||
|
|
||
| func TLSCipherSuite(cipherName string) (uint16, error) { |
There was a problem hiding this comment.
this should be TLSVersion(tlsVersion string) (uint16, error) that deals with these constants:
VersionSSL30 = 0x0300
VersionTLS10 = 0x0301
VersionTLS11 = 0x0302
VersionTLS12 = 0x0303
|
Ah, the second magic block in openshift crypto. |
deads2k
force-pushed
the
kubelet-02-mincipher
branch
from
b00d80a to
c01ff0e
Compare
|
fixed |
| @@ -62,3 +62,26 @@ func TLSCipherSuites(cipherNames []string) ([]uint16, error) { | |||
| } | |||
| return ciphersIntSlice, nil | |||
| } | |||
|
|
|||
| var versions = map[string]uint16{ | |||
There was a problem hiding this comment.
update TestConstantMaps to keep this in sync
|
nit on test, LGTM otherwise. can clean up flag help (listing valid values) in followup along with the valid values for ciphers |
|
and needs a release note |
deads2k
force-pushed
the
kubelet-02-mincipher
branch
2 times, most recently
from
740c4b0 to
11b7980
Compare
k8s-ci-robot
added
release-note
deads2k
force-pushed
the
kubelet-02-mincipher
branch
from
11b7980 to
4ce7bcc
Compare
|
test and release note added. |
|
/retest |
k8s-ci-robot
added
the
lgtm
|
/approve no-issue |
|
kubelet changes LGTM /approve no-issue |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, derekwaynecarr, liggitt Associated issue requirement bypassed by: deads2k, derekwaynecarr The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-ci-robot
added
the
approved
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
/retest Review the full test history for this PR. Silence the bot with an |
|
Automatic merge from submit-queue (batch tested with PRs 58547, 57228, 58528, 58499, 58618). If you want to cherry-pick this change to another branch, please follow the instructions here. |
Adds a flag for controlling the minimum TLS level allowed.
/assign liggitt
@kubernetes/sig-node-pr-reviews @k8s-mirror-api-machinery-pr-reviews