Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.26] Use secure ciphers for metrics-server #7642

Closed
brandond opened this issue May 31, 2023 · 1 comment
Closed

[release-1.26] Use secure ciphers for metrics-server #7642

brandond opened this issue May 31, 2023 · 1 comment
Assignees
@brandond @VestigeJ
Milestone
v1.26.6+k3s1

Comments

@brandond
Copy link
Member

@brandond brandond self-assigned this May 31, 2023
@brandond brandond moved this from New to Next Up in K3s Development May 31, 2023
@brandond brandond added this to the v1.26.6+k3s1 milestone May 31, 2023
@brandond brandond mentioned this issue Jun 8, 2023
Merged
@brandond brandond moved this from Next Up to To Test in K3s Development Jun 12, 2023
@VestigeJ
Copy link

Validated new release commmit-id showing the removal of 3DES etc C ranked algorithm by nmap.

$ sudo INSTALL_K3S_VERSION=v1.26.5+k3s1 INSTALL_K3S_EXEC=server ./install-k3s.sh

[INFO]  Using v1.26.5+k3s1 as release
[INFO]  Downloading hash https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/sha256sum-amd64.txt
[INFO]  Downloading binary https://github.com/k3s-io/k3s/releases/download/v1.26.5+k3s1/k3s
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Skipping installation of SELinux RPM
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s

$ kgn

NAME               STATUS   ROLES                       AGE   VERSION
ip-1-1-2-14        Ready    control-plane,etcd,master   47s   v1.26.5+k3s1

$ kgp -A

NAMESPACE     NAME                                      READY   STATUS      RESTARTS   AGE
kube-system   coredns-59b4f5bbd5-8v28l                  1/1     Running     0          34s
kube-system   helm-install-traefik-crd-bqtp6            0/1     Completed   0          34s
kube-system   helm-install-traefik-n9dfn                0/1     Completed   1          34s
kube-system   local-path-provisioner-76d776f6f9-gx4g4   1/1     Running     0          34s
kube-system   metrics-server-7b67f64457-7lx46           1/1     Running     0          34s
kube-system   svclb-traefik-95a7c8e0-sc6fm              2/2     Running     0          19s
kube-system   traefik-57c84cf78d-pkv7k                  1/1     Running     0          19s

$ k3s -v

k3s version v1.26.5+k3s1 (7cefebea)
go version go1.19.9

$ sudo /usr/local/bin/crictl -r /var/run/k3s/containerd/containerd.sock images |grep metrics

I0614 23:14:33.845383    2408 util_unix.go:103] "Using this endpoint is deprecated, please consider using full URL format" endpoint="/var/run/k3s/containerd/containerd.sock" URL="unix:///var/run/k3s/containerd/containerd.sock"
docker.io/rancher/mirrored-metrics-server    v0.6.2                 25561daa66605       28.1MB

$ kg svc metrics-server -n kube-system

NAME             TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
metrics-server   ClusterIP   10.43.193.35   <none>        443/TCP   119s

$ nmap --script ssl-enum-ciphers -p 443 10.43.193.35

Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-14 23:17 UTC
Nmap scan report for ip-10-43-193-35.us-north-9.compute.internal (10.43.193.35)
Host is up (0.00011s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: C

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

$ sudo INSTALL_K3S_COMMIT=f3b08c3863b7f3a7d6655e99077482353a54b309 INSTALL_K3S_EXEC=server ./install-k3s.sh

[INFO]  Using commit f3b08c3863b7f3a7d6655e99077482353a54b309 as release
[INFO]  Downloading hash https://k3s-ci-builds.s3.amazonaws.com/k3s-f3b08c3863b7f3a7d6655e99077482353a54b309.sha256sum
[INFO]  Downloading binary https://k3s-ci-builds.s3.amazonaws.com/k3s-f3b08c3863b7f3a7d6655e99077482353a54b309
[INFO]  Verifying binary download
[INFO]  Installing k3s to /usr/local/bin/k3s
[INFO]  Skipping installation of SELinux RPM
[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
[INFO]  Creating /usr/local/bin/crictl symlink to k3s
[INFO]  Creating /usr/local/bin/ctr symlink to k3s
[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
[INFO]  systemd: Enabling k3s unit
Created symlink /etc/systemd/system/multi-user.target.wants/k3s.service → /etc/systemd/system/k3s.service.
[INFO]  systemd: Starting k3s

$ kgn

NAME               STATUS   ROLES                       AGE   VERSION
ip-1-1-2-12         Ready    control-plane,etcd,master   47s   v1.26.5+k3s-f3b08c38

$ kgp -A

NAMESPACE     NAME                                      READY   STATUS      RESTARTS   AGE
kube-system   coredns-59b4f5bbd5-vsc6n                  1/1     Running     0          34s
kube-system   helm-install-traefik-crd-8msfb            0/1     Completed   0          34s
kube-system   helm-install-traefik-mb9l5                0/1     Completed   1          34s
kube-system   local-path-provisioner-76d776f6f9-9h8sh   1/1     Running     0          34s
kube-system   metrics-server-68cf49699b-hrckx           1/1     Running     0          34s
kube-system   svclb-traefik-a182c187-72cdd              2/2     Running     0          20s
kube-system   traefik-57c84cf78d-r7kbl                  1/1     Running     0          20s

$ k3s -v

k3s version v1.26.5+k3s-f3b08c38 (f3b08c38)
go version go1.19.9

$ sudo /usr/local/bin/crictl -r /var/run/k3s/containerd/containerd.sock images |grep metrics

I0614 23:14:33.396380     598 util_unix.go:103] "Using this endpoint is deprecated, please consider using full URL format" endpoint="/var/run/k3s/containerd/containerd.sock" URL="unix:///var/run/k3s/containerd/containerd.sock"
docker.io/rancher/mirrored-metrics-server    v0.6.3                 817bbe3f2e517       29.9MB

$ kg svc metrics-server -n kube-system

NAME             TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
metrics-server   ClusterIP   10.43.1.5    <none>        443/TCP   2m4s

$ nmap --script ssl-enum-ciphers -p 443 10.43.1.5

Starting Nmap 7.92 ( https://nmap.org ) at 2023-06-14 23:16 UTC
Nmap scan report for ip-10-43-1-5.us-north-9.compute.internal (10.43.1.5)
Host is up (0.00011s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
|     compressors:
|       NULL
|     cipher preference: client
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

@github-project-automation github-project-automation bot moved this from To Test to Done Issue in K3s Development Jun 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brandond brandond

@VestigeJ VestigeJ

Labels
None yet
Projects
K3s Development
Archived in project
Milestone
v1.26.6+k3s1
Development

No branches or pull requests
2 participants
@brandond @VestigeJ