k8s TLS 安全问题修复

2023-01-17  本文已影响0人  薄荷盐

参考:https://www.ibm.com/docs/ru/cloud-private/3.1.2?topic=installation-specifying-tls-ciphers-etcd-kubernetes
问题:k8s 集群被扫描出SSL/TLS协议信息泄露漏洞
解决方案:指定各组件的 cipher-suites

kube-controller

问题验证:

[root@node-2 ~]# nmap -sV -p 10257 --script ssl-enum-ciphers 10.1.69.125|grep -E 'DEA|DES'
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       64-bit block cipher 3DES vulnerable to SWEET32 attack

修改启动脚本:/etc/systemd/system/kube-controller-manager.service

--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

重启服务:systemctl daemon-reload && systemctl restart kube-controller-manager.service

etcd

修改启动脚本:/etc/systemd/system/etcd.service

--cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

重启服务:systemctl daemon-reload && systemctl restart etcd.service

kube-apiserver

修改启动脚本:/etc/systemd/system/kube-apiserver.service

--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

重启服务:systemctl daemon-reload && systemctl restart kube-apiserver.service

kubelet

问题验证:

[root@node-2 ~]# nmap -sV -p 10250 --script ssl-enum-ciphers 10.1.69.125|grep -E 'DEA|DES'
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       64-bit block cipher 3DES vulnerable to SWEET32 attack

修改启动脚本:/etc/systemd/system/kubelet.service

--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

重启服务:systemctl daemon-reload && systemctl restart kubelet.service

上一篇下一篇

猜你喜欢

热点阅读