Updated VPA admission-controller to have adjustable minimum TLS version and TLS ciphers #6625
Conversation
k8s-ci-robot
added
the
kind/feature
|
|
k8s-ci-robot
added
cncf-cla: no
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
lgtm
k8s-ci-robot
removed
the
lgtm
|
@mwielgus fixed the formatting issue, should be good now |
| @@ -32,6 +32,8 @@ up the changes: ```sudo systemctl restart kubelet.service``` | |||
| for pods on their creation & updates. | |||
| 1. You can specify a path for it to register as a part of the installation process | |||
| by setting `--register-by-url=true` and passing `--webhook-address` and `--webhook-port`. | |||
| 1. You can specify a minimum TLS version with `--min-tls-version` with acceptable values being `tls1_0`, `tls1_1`, `tls1_2` (default), or `tls_13`. | |||
There was a problem hiding this comment.
| 1. You can specify a minimum TLS version with `--min-tls-version` with acceptable values being `tls1_0`, `tls1_1`, `tls1_2` (default), or `tls_13`. | |
| 1. You can specify a minimum TLS version with `--min-tls-version` with acceptable values being `tls1_0`, `tls1_1`, `tls1_2` (default), or `tls1_3`. |
| case "tls1_3": | ||
| tlsVersion = tls.VersionTLS13 | ||
| default: | ||
| tlsVersion = tls.VersionTLS12 |
There was a problem hiding this comment.
This is somewhat dangerous, IMHO. This code allows for arbitrary strings to be set for --min-tls-version and any typo will not result in an error, but in TLS1.2 being set. Users will never realize they're not getting what they intended. For example, if I'm setting --min-tls-version=1.3, admission-controller will silently configure TLS1.2. I think we should make it explicit to the user that they entered a value that is unknown and fail to start.
There was a problem hiding this comment.
updated code to default to tls1_2 and only accept tls1_2 and tls1_3. If a different value is given, we now throw a fatal exception. Error now looks like
F0318 15:31:04.356258 1 config.go:66] Unable to determine value for --min-tls-version (tls1_1), must be either tls1_2 or tls1_3
| } | ||
|
|
||
| switch minTlsVersion { | ||
| case "tls1_0": |
There was a problem hiding this comment.
Do we have a good reason to "go back" and allow for less secure TLS configurations than we do now? If not, let's not include TLS1.0 and TLS1.1 here.
There was a problem hiding this comment.
removed TLS 1.0 and TLS 1.1
| @@ -59,6 +59,8 @@ var ( | |||
| tlsCertFile: flag.String("tls-cert-file", "/etc/tls-certs/serverCert.pem", "Path to server certificate PEM file."), | |||
| tlsPrivateKey: flag.String("tls-private-key", "/etc/tls-certs/serverKey.pem", "Path to server certificate key PEM file."), | |||
| } | |||
| ciphers = flag.String("tls-ciphers", "", "A comma-separated or colon-separated list of ciphers to accept. Only works when min-tls-version is set to tls1_2 or below.") | |||
| minTlsVersion = flag.String("min-tls-version", "tls1_2", "The minimum TLS version to accept. Defaults to tls1_2.") | |||
There was a problem hiding this comment.
We should list all allowed values here, to make it clear which values are valid without taking a look at the implementation.
There was a problem hiding this comment.
updated description
|
@voelzmo Updated the PR, made the changes. LMK if there is anything else that needs to be updated. |
|
Looks great, thanks! |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: allenmun197, mwielgus, voelzmo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@voelzmo , is it fine to cherry-pick this change to vpa 1.1 release? |
|
@robbiezhang I don't think we cherry-pick new features to releases. We probably would rather release a 1.2.0 |
|
@voelzmo thanks for the reply. That makes sense. Wondering what's the release cadence and 1.2 release timeline? |
|
Agreed. A new version would be necessary for features. |
|
We generally try and cut releases roughly in line with every minor version release. That being said there really isn't anything preventing us from a doing another release (except bandwidth from one of the owners!) |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR allows the VPA admission-controller to have an adjustable minimum TLS version and ciphersuites. This will help people using VPA to be more secure as you can now set a minimum TLS version of 1.3 or only allow strong ciphers.
Which issue(s) this PR fixes:
Fixes #6624
Special notes for your reviewer:
I don't know the best way to create a mapping of ciphers/tls_versions to convert the string from the flag to the accepted uint16 accepted by the server params. If there is a better/cleaner solution I would be very much open to changing the code.
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: