Enabling TLS security profiles for the kubelet

    A TLS security profile defines the TLS ciphers that the Kubernetes API server must use when connecting with the kubelet to protect communication between the kubelet and the Kubernetes API server.

    You can use a TLS (Transport Layer Security) security profile to define which TLS ciphers are required by various OKD components. The OKD TLS security profiles are based on .

    You can specify one of the following TLS security profiles for each component:

    Table 1. TLS security profiles
    ProfileDescription

    This profile is intended for use with legacy clients or libraries. The profile is based on the Old backward compatibility recommended configuration.

    The Old profile requires a minimum TLS version of 1.0.

    Intermediate

    This profile is the recommended configuration for the majority of clients. It is the default TLS security profile for the Ingress Controller, kubelet, and control plane. The profile is based on the recommended configuration.

    The Intermediate profile requires a minimum TLS version of 1.2.

    This profile is intended for use with modern clients that have no need for backwards compatibility. This profile is based on the Modern compatibility recommended configuration.

    The Modern profile requires a minimum TLS version of 1.3.

    Custom

    This profile allows you to define the TLS version and ciphers to use.

    Use caution when using a Custom profile, because invalid configurations can cause problems.

    Configuring the TLS security profile for the kubelet

    To configure a TLS security profile for the kubelet when it is acting as an HTTP server, create a KubeletConfig custom resource (CR) to specify a predefined or custom TLS security profile for specific nodes. If a TLS security profile is not configured, the default TLS security profile is Intermediate.

    Sample KubeletConfig CR that configures the Old TLS security profile on worker nodes

    You can see the ciphers and the minimum TLS version of the configured TLS security profile in the kubelet.conf file on a configured node.

    Prerequisites

    • You have access to the cluster as a user with the cluster-admin role.

    Procedure

    1. Sample KubeletConfig CR for a profile

      1. apiVersion: machineconfiguration.openshift.io/v1
      2. kind: KubeletConfig
      3. metadata:
      4. name: set-kubelet-tls-security-profile
      5. spec:
      6. type: Custom (1)
      7. custom: (2)
      8. ciphers: (3)
      9. - ECDHE-ECDSA-CHACHA20-POLY1305
      10. - ECDHE-RSA-CHACHA20-POLY1305
      11. - ECDHE-RSA-AES128-GCM-SHA256
      12. - ECDHE-ECDSA-AES128-GCM-SHA256
      13. minTLSVersion: VersionTLS11
      14. machineConfigPoolSelector:
      15. pools.operator.machineconfiguration.openshift.io/worker: "" (4)
      1Specify the TLS security profile type (Old, Intermediate, or Custom). The default is Intermediate.
      2Specify the appropriate field for the selected type:
      • old: {}

      • intermediate: {}

      • custom:

      3For the custom type, specify a list of TLS ciphers and minimum accepted TLS version.
      4Optional: Specify the machine config pool label for the nodes you want to apply the TLS security profile.
    2. Create the KubeletConfig object:

      Depending on the number of worker nodes in the cluster, wait for the configured nodes to be rebooted one by one.

    Verification

    To verify that the profile is set, perform the following steps after the nodes are in the Ready state:

    1. Start a debug session for a configured node:

      1. $ oc debug node/<node_name>
    2. Set /host as the root directory within the debug shell:

    3. View the kubelet.conf file: