From 19c2ad2da433659cbe0039af7130b1f55c576100 Mon Sep 17 00:00:00 2001 From: Tuomas Katila Date: Wed, 14 Aug 2024 15:31:29 +0300 Subject: [PATCH 1/3] rbac proxy: drop lower quality tls cipher Signed-off-by: Tuomas Katila --- deployments/operator/default/manager_auth_proxy_patch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/operator/default/manager_auth_proxy_patch.yaml b/deployments/operator/default/manager_auth_proxy_patch.yaml index dea09f052..929218cb8 100644 --- a/deployments/operator/default/manager_auth_proxy_patch.yaml +++ b/deployments/operator/default/manager_auth_proxy_patch.yaml @@ -15,7 +15,7 @@ spec: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" - "--logtostderr=true" - - "--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" + - "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305" - "--v=10" ports: - containerPort: 8443 From 333d6369db961a636bec19462cd2d3777b0582ae Mon Sep 17 00:00:00 2001 From: Tuomas Katila Date: Wed, 14 Aug 2024 15:43:24 +0300 Subject: [PATCH 2/3] add a note about production clusters and proper certificates Signed-off-by: Tuomas Katila --- cmd/fpga_admissionwebhook/README.md | 2 ++ cmd/operator/README.md | 2 ++ cmd/sgx_admissionwebhook/README.md | 2 ++ 3 files changed, 6 insertions(+) diff --git a/cmd/fpga_admissionwebhook/README.md b/cmd/fpga_admissionwebhook/README.md index 779177b36..0ec5f4cbd 100644 --- a/cmd/fpga_admissionwebhook/README.md +++ b/cmd/fpga_admissionwebhook/README.md @@ -54,6 +54,8 @@ controller webhook plugin. The default webhook deployment depends on having [cert-manager](https://cert-manager.io/) installed. See its installation instructions [here](https://cert-manager.io/docs/installation/kubectl/). +> **Note**: The default deployment for the Intel FPGA webhook uses self-signed certificates. For a production cluster, the certificate issuer should be properly set and not use a self-signed method. + Also if your cluster operates behind a corporate proxy make sure that the API server is configured not to send requests to cluster services through the proxy. You can check that with the following command: diff --git a/cmd/operator/README.md b/cmd/operator/README.md index 6790e4728..6a0fb79a4 100644 --- a/cmd/operator/README.md +++ b/cmd/operator/README.md @@ -62,6 +62,8 @@ deployments/operator/samples/deviceplugin_v1_dsadeviceplugin.yaml: intel.feat ### Cert-Manager +> **Note**: The default deployment for the Intel Device Plugin operator uses self-signed certificates. For a production cluster, the certificate issuer should be properly set and not use a self-signed method. + The default operator deployment depends on [cert-manager](https://cert-manager.io/) running in the cluster. See installation instructions [here](https://cert-manager.io/docs/installation/kubectl/). diff --git a/cmd/sgx_admissionwebhook/README.md b/cmd/sgx_admissionwebhook/README.md index 094fa5661..21bba8a01 100644 --- a/cmd/sgx_admissionwebhook/README.md +++ b/cmd/sgx_admissionwebhook/README.md @@ -32,6 +32,8 @@ controller webhook plugin. The default webhook deployment depends on having [cert-manager](https://cert-manager.io/) installed. See its installation instructions [here](https://cert-manager.io/docs/installation/kubectl/). +> **Note**: The default deployment for the Intel SGX webhook uses self-signed certificates. For a production cluster, the certificate issuer should be properly set and not use a self-signed method. + Also if your cluster operates behind a corporate proxy make sure that the API server is configured not to send requests to cluster services through the proxy. You can check that with the following command: From 1a13dcd3e2ce27cef3767f1c0567c367d904c908 Mon Sep 17 00:00:00 2001 From: Tuomas Katila Date: Tue, 20 Aug 2024 11:58:38 +0300 Subject: [PATCH 3/3] tls: limit version to 1.2 only and selected ciphers Signed-off-by: Tuomas Katila --- cmd/fpga_admissionwebhook/main.go | 9 ++++++++- cmd/operator/main.go | 9 ++++++++- cmd/sgx_admissionwebhook/main.go | 9 ++++++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/cmd/fpga_admissionwebhook/main.go b/cmd/fpga_admissionwebhook/main.go index b21744464..975ede5ce 100644 --- a/cmd/fpga_admissionwebhook/main.go +++ b/cmd/fpga_admissionwebhook/main.go @@ -55,7 +55,14 @@ func main() { ctrl.SetLogger(textlogger.NewLogger(tlConf)) tlsCfgFunc := func(cfg *tls.Config) { - cfg.MinVersion = tls.VersionTLS13 + cfg.MinVersion = tls.VersionTLS12 + cfg.MaxVersion = tls.VersionTLS12 + cfg.CipherSuites = []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + } } webhookOptions := webhook.Options{ diff --git a/cmd/operator/main.go b/cmd/operator/main.go index dd3560b5a..4450c5440 100644 --- a/cmd/operator/main.go +++ b/cmd/operator/main.go @@ -135,7 +135,14 @@ func main() { } tlsCfgFunc := func(cfg *tls.Config) { - cfg.MinVersion = tls.VersionTLS13 + cfg.MinVersion = tls.VersionTLS12 + cfg.MaxVersion = tls.VersionTLS12 + cfg.CipherSuites = []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + } } webhookOptions := webhook.Options{ diff --git a/cmd/sgx_admissionwebhook/main.go b/cmd/sgx_admissionwebhook/main.go index dae8def65..984d171b5 100644 --- a/cmd/sgx_admissionwebhook/main.go +++ b/cmd/sgx_admissionwebhook/main.go @@ -37,7 +37,14 @@ func main() { ctrl.SetLogger(textlogger.NewLogger(tlConf)) tlsCfgFunc := func(cfg *tls.Config) { - cfg.MinVersion = tls.VersionTLS13 + cfg.MinVersion = tls.VersionTLS12 + cfg.MaxVersion = tls.VersionTLS12 + cfg.CipherSuites = []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + } } webhookOptions := webhook.Options{