• Kubernetes Submit Queue's avatar
    Merge pull request #48859 from victorgp/master · b7100f1e
    Kubernetes Submit Queue authored
    Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
    
    Support for custom tls cipher suites in api server and kubelet
    
    **What this PR does / why we need it**:
    This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
    Several users have requested this given that some default ciphers are vulnerable.
    There is a discussion in #41038 of how to implement this. The options are:
    - Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
    - Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.
    
    I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).
    
    **Which issue this PR fixes** 
    fixes #41038 
    
    **Special notes for your reviewer**:
    The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the `type CipherSuitesFlag` to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
    If you think there is another way to implement this, let me know.
    
    If you want to test it out, this is a ciphers combination i tested without the weak ones:
    
    ```
    TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    ```
    
    If this is merged i will implement the same for the Kubelet.
    
    **Release note**:
    ```release-note
    kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
    ```
    b7100f1e
Name
Last commit
Last update
..
conformance Loading commit data...
e2e Loading commit data...
e2e_node Loading commit data...
fixtures Loading commit data...
images Loading commit data...
integration Loading commit data...
kubemark Loading commit data...
list Loading commit data...
soak Loading commit data...
utils Loading commit data...
BUILD Loading commit data...
OWNERS Loading commit data...
test_owners.csv Loading commit data...
test_owners.json Loading commit data...