Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use secure ciphers for metrics-server #7556

Closed
brandond opened this issue May 15, 2023 · 1 comment
Closed

Use secure ciphers for metrics-server #7556

brandond opened this issue May 15, 2023 · 1 comment
Assignees
@brandond @ShylajaDevadiga
Milestone
v1.27.3+k3s1

Comments

@brandond
Copy link
Member

brandond commented May 15, 2023
edited
Loading

K3s ships with a fairly secure set of default cipher suites for the apiserver. Unfortunately the metrics-server still uses some fairly old and insecure defaults. The metrics-server doesn't expose anything confidential, but it does still show up on TLS scans as being insecure.

We should update the metrics-server packaged manifest to specify the same set of cipher suites as we use for the apiserver:

k3s/pkg/cli/server/server.go

Lines 380 to 385 in 2b24c99

"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",

Ref: SURE-6331
@brandond brandond self-assigned this May 15, 2023
@brandond brandond moved this from New to Next Up in K3s Development May 15, 2023
@brandond brandond added this to the v1.27.3+k3s1 milestone May 15, 2023
@brandond brandond moved this from Next Up to Peer Review in K3s Development May 16, 2023
@brandond brandond mentioned this issue May 16, 2023
Merged
This was referenced May 31, 2023
Closed
Closed
@brandond brandond mentioned this issue Jun 8, 2023
Closed
@brandond brandond moved this from Peer Review to To Test in K3s Development Jun 12, 2023
@ShylajaDevadiga
Copy link
Contributor

ShylajaDevadiga commented Jun 14, 2023
edited
Loading

Validated using commit id b66a118 on master branch

Environment Details

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
SLES 15 SP3

Cluster Configuration:
Single node

Steps to reproduce

  1. Install k3s
  2. Check version and Nmap scan report for metrics-server

Results from reproducing the issue:

ec2-user@ip-172-31-15-231:~> k3s -v
k3s version v1.27.2+k3s1 (213d7ad4)
go version go1.20.4

ec2-user@ip-172-31-15-231:~> sudo /usr/local/bin/crictl -r /var/run/k3s/containerd/containerd.sock images |grep metrics
docker.io/rancher/mirrored-metrics-server    v0.6.2                 25561daa66605       28.1MB

ec2-user@ip-172-31-15-231:~> kubectl get svc -n kube-system |grep metrics
metrics-server   ClusterIP      10.43.81.168   <none>          443/TCP                      14h

ec2-user@ip-172-31-15-231:~> nmap --script ssl-enum-ciphers -p 443 10.43.81.168
Starting Nmap 7.70 ( https://nmap.org ) at 2023-06-14 19:39 UTC
Nmap scan report for ip-10-43-81-168.us-east-2.compute.internal (10.43.81.168)
Host is up (0.00015s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
ec2-user@ip-172-31-15-231:~>

Results from validation:

ec2-user@ip-172-31-10-72:~> k3s -v
k3s version v1.27.2+k3s-b66a1183 (b66a1183)
go version go1.20.4

ec2-user@ip-172-31-10-72:~> sudo /usr/local/bin/crictl -r /var/run/k3s/containerd/containerd.sock images |grep metrics
docker.io/rancher/mirrored-metrics-server    v0.6.3                 817bbe3f2e517       29.9MB

ec2-user@ip-172-31-10-72:~> kubectl get svc -n kube-system |grep metrics
metrics-server   ClusterIP      10.43.17.196   <none>         443/TCP                      45s

Confirming there is no use of 3DES encryption suite and there are no warnings and least strength: A

ec2-user@ip-172-31-10-72:~> nmap --script ssl-enum-ciphers -p 443 10.43.17.196
Starting Nmap 7.70 ( https://nmap.org ) at 2023-06-14 19:42 UTC
Nmap scan report for ip-10-43-17-196.us-east-2.compute.internal (10.43.17.196)
Host is up (0.00011s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.57 seconds
ec2-user@ip-172-31-10-72:~> 

ec2-user@ip-172-31-10-72:~> kubectl top nodes
NAME              CPU(cores)   CPU%   MEMORY(bytes)   MEMORY%   
ip-172-31-10-72   54m          2%     1086Mi          28%     

ec2-user@ip-172-31-10-72:~> kubectl top pods -A
NAMESPACE     NAME                                     CPU(cores)   MEMORY(bytes)   
kube-system   coredns-77ccd57875-xb6bw                 2m           16Mi            
kube-system   local-path-provisioner-957fdf8bc-lz998   1m           11Mi            
kube-system   metrics-server-648b5df564-l6kww          6m           25Mi            
kube-system   svclb-traefik-1f5a4f7e-kpzkh             0m           2Mi             
kube-system   traefik-64f55bb67d-s5p95                 1m           37Mi            
ec2-user@ip-172-31-10-72:~>

@github-project-automation github-project-automation bot moved this from To Test to Done Issue in K3s Development Jun 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@ShylajaDevadiga ShylajaDevadiga

Labels
None yet
Projects
K3s Development
Archived in project
Milestone
v1.27.3+k3s1
Development

No branches or pull requests
2 participants
@brandond @ShylajaDevadiga