Merge pull request #1808 from tkatila/tls-cipher-updates

TLS cipher updates

cmd/fpga_admissionwebhook/README.md

@@ -54,6 +54,8 @@ controller webhook plugin.
 The default webhook deployment depends on having [cert-manager](https://cert-manager.io/)
 installed. See its installation instructions [here](https://cert-manager.io/docs/installation/kubectl/).
 
+> **Note**: The default deployment for the Intel FPGA webhook uses self-signed certificates. For a production cluster, the certificate issuer should be properly set and not use a self-signed method.
+
 Also if your cluster operates behind a corporate proxy make sure that the API
 server is configured not to send requests to cluster services through the
 proxy. You can check that with the following command:

cmd/fpga_admissionwebhook/main.go

@@ -55,7 +55,14 @@ func main() {
 	ctrl.SetLogger(textlogger.NewLogger(tlConf))
 
 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}
 
 	webhookOptions := webhook.Options{

cmd/operator/README.md

@@ -62,6 +62,8 @@ deployments/operator/samples/deviceplugin_v1_dsadeviceplugin.yaml:    intel.feat
 
 ### Cert-Manager
 
+> **Note**: The default deployment for the Intel Device Plugin operator uses self-signed certificates. For a production cluster, the certificate issuer should be properly set and not use a self-signed method.
+
 The default operator deployment depends on [cert-manager](https://cert-manager.io/) running in the cluster.
 See installation instructions [here](https://cert-manager.io/docs/installation/kubectl/).
 

cmd/operator/main.go

@@ -135,7 +135,14 @@ func main() {
 	}
 
 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}
 
 	webhookOptions := webhook.Options{

cmd/sgx_admissionwebhook/README.md

@@ -32,6 +32,8 @@ controller webhook plugin.
 The default webhook deployment depends on having [cert-manager](https://cert-manager.io/)
 installed. See its installation instructions [here](https://cert-manager.io/docs/installation/kubectl/).
 
+> **Note**: The default deployment for the Intel SGX webhook uses self-signed certificates. For a production cluster, the certificate issuer should be properly set and not use a self-signed method.
+
 Also if your cluster operates behind a corporate proxy make sure that the API
 server is configured not to send requests to cluster services through the
 proxy. You can check that with the following command:

cmd/sgx_admissionwebhook/main.go

@@ -37,7 +37,14 @@ func main() {
 	ctrl.SetLogger(textlogger.NewLogger(tlConf))
 
 	tlsCfgFunc := func(cfg *tls.Config) {
-		cfg.MinVersion = tls.VersionTLS13
+		cfg.MinVersion = tls.VersionTLS12
+		cfg.MaxVersion = tls.VersionTLS12
+		cfg.CipherSuites = []uint16{
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		}
 	}
 
 	webhookOptions := webhook.Options{

deployments/operator/default/manager_auth_proxy_patch.yaml

@@ -15,7 +15,7 @@ spec:
         - "--secure-listen-address=0.0.0.0:8443"
         - "--upstream=http://127.0.0.1:8080/"
         - "--logtostderr=true"
-        - "--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
+        - "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
         - "--v=10"
         ports:
         - containerPort: 8443