From 4c4ce79e7e56123d78fc3cd410455c1fa89df2fa Mon Sep 17 00:00:00 2001 From: Miguel Caballer Date: Fri, 21 Jul 2023 13:05:56 +0200 Subject: [PATCH 1/5] Set cipher suites --- defaults/main.yml | 2 ++ templates/kubeadm-config.j2 | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 561b3768..13ec9924 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,6 +20,8 @@ kube_network: flannel kubelet_extra_args: '' # Kube API server options kube_apiserver_options: [] +# Kubernetes TLS cipher suites +kube_tls_cipher_suites: 'TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384' # CRI runtime kube_cri_runtime: docker # docker, containerd or crio # Flag to set HELM to be installed diff --git a/templates/kubeadm-config.j2 b/templates/kubeadm-config.j2 index a1b38835..9a6d546e 100644 --- a/templates/kubeadm-config.j2 +++ b/templates/kubeadm-config.j2 @@ -7,9 +7,18 @@ apiVersion: kubeadm.k8s.io/v1beta3 {% endif %} networking: podSubnet: "{{kube_pod_network_cidr}}" # --pod-network-cidr +{% if IM_NODE_PRIVATE_IP is defined %} +etcd: + local: + extraArgs: + advertise-client-urls: "https://{{ IM_NODE_PRIVATE_IP }}:2379" + listen-client-urls: "https://127.0.0.1:2379,https://{{ IM_NODE_PRIVATE_IP }}:2379" + listen-peer-urls: "https://{{ IM_NODE_PRIVATE_IP }}:2380" +{% endif %} apiServer: extraArgs: advertise-address: "{{kube_api_server}}" # --apiserver-advertise-address + tls-cipher-suites: "{{kube_tls_cipher_suites}}" {% if IM_NODE_PUBLIC_IP is defined %} certSANs: - "{{ IM_NODE_PUBLIC_IP }}" @@ -30,6 +39,7 @@ controlPlaneEndpoint: "{{kube_api_server}}:6443" kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 cgroupDriver: systemd +TLSCipherSuites: "{{kube_tls_cipher_suites | split(',')}}" --- kind: InitConfiguration {% if kube_version is version_compare('1.22.0', '<') %} From 2956fb116816eff37c39a03ae28e6675fe018950 Mon Sep 17 00:00:00 2001 From: Miguel Caballer Date: Fri, 21 Jul 2023 13:08:33 +0200 Subject: [PATCH 2/5] Set cipher suites --- templates/kubeadm-config.j2 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/templates/kubeadm-config.j2 b/templates/kubeadm-config.j2 index 9a6d546e..720f8fba 100644 --- a/templates/kubeadm-config.j2 +++ b/templates/kubeadm-config.j2 @@ -7,14 +7,15 @@ apiVersion: kubeadm.k8s.io/v1beta3 {% endif %} networking: podSubnet: "{{kube_pod_network_cidr}}" # --pod-network-cidr -{% if IM_NODE_PRIVATE_IP is defined %} etcd: local: extraArgs: + cipher-suites: "{{kube_tls_cipher_suites}}" + {% if IM_NODE_PRIVATE_IP is defined %} advertise-client-urls: "https://{{ IM_NODE_PRIVATE_IP }}:2379" listen-client-urls: "https://127.0.0.1:2379,https://{{ IM_NODE_PRIVATE_IP }}:2379" listen-peer-urls: "https://{{ IM_NODE_PRIVATE_IP }}:2380" -{% endif %} + {% endif %} apiServer: extraArgs: advertise-address: "{{kube_api_server}}" # --apiserver-advertise-address From 63c9592fd8a163a15ffa71d21319d2e6fee9bc6a Mon Sep 17 00:00:00 2001 From: Miguel Caballer Date: Fri, 21 Jul 2023 13:16:25 +0200 Subject: [PATCH 3/5] fix split --- templates/kubeadm-config.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/kubeadm-config.j2 b/templates/kubeadm-config.j2 index 720f8fba..cb6eb646 100644 --- a/templates/kubeadm-config.j2 +++ b/templates/kubeadm-config.j2 @@ -40,7 +40,7 @@ controlPlaneEndpoint: "{{kube_api_server}}:6443" kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 cgroupDriver: systemd -TLSCipherSuites: "{{kube_tls_cipher_suites | split(',')}}" +TLSCipherSuites: "{{kube_tls_cipher_suites.split(',')}}" --- kind: InitConfiguration {% if kube_version is version_compare('1.22.0', '<') %} From 7a161115f34f5aaab4adc0c7ff1270e275299cae Mon Sep 17 00:00:00 2001 From: Miguel Caballer Date: Fri, 21 Jul 2023 13:28:57 +0200 Subject: [PATCH 4/5] fix tlsCipherSuites --- templates/kubeadm-config.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/kubeadm-config.j2 b/templates/kubeadm-config.j2 index cb6eb646..499ef14e 100644 --- a/templates/kubeadm-config.j2 +++ b/templates/kubeadm-config.j2 @@ -40,7 +40,7 @@ controlPlaneEndpoint: "{{kube_api_server}}:6443" kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 cgroupDriver: systemd -TLSCipherSuites: "{{kube_tls_cipher_suites.split(',')}}" +tlsCipherSuites: "{{kube_tls_cipher_suites.split(',')}}" --- kind: InitConfiguration {% if kube_version is version_compare('1.22.0', '<') %} From 0c6dfe732d10daa3196c8555fb5cc383cf2ef17e Mon Sep 17 00:00:00 2001 From: Miguel Caballer Date: Fri, 21 Jul 2023 13:35:07 +0200 Subject: [PATCH 5/5] fix tlsCipherSuites --- templates/kubeadm-config.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/kubeadm-config.j2 b/templates/kubeadm-config.j2 index 499ef14e..39a36143 100644 --- a/templates/kubeadm-config.j2 +++ b/templates/kubeadm-config.j2 @@ -11,11 +11,11 @@ etcd: local: extraArgs: cipher-suites: "{{kube_tls_cipher_suites}}" - {% if IM_NODE_PRIVATE_IP is defined %} +{% if IM_NODE_PRIVATE_IP is defined %} advertise-client-urls: "https://{{ IM_NODE_PRIVATE_IP }}:2379" listen-client-urls: "https://127.0.0.1:2379,https://{{ IM_NODE_PRIVATE_IP }}:2379" listen-peer-urls: "https://{{ IM_NODE_PRIVATE_IP }}:2380" - {% endif %} +{% endif %} apiServer: extraArgs: advertise-address: "{{kube_api_server}}" # --apiserver-advertise-address @@ -40,7 +40,7 @@ controlPlaneEndpoint: "{{kube_api_server}}:6443" kind: KubeletConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 cgroupDriver: systemd -tlsCipherSuites: "{{kube_tls_cipher_suites.split(',')}}" +tlsCipherSuites: {{kube_tls_cipher_suites.split(',')}} --- kind: InitConfiguration {% if kube_version is version_compare('1.22.0', '<') %}