Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Operator controller allows old TLS versions #155

Closed
nyikesda opened this issue Feb 14, 2022 · 6 comments · Fixed by #188
Closed

Operator controller allows old TLS versions #155

nyikesda opened this issue Feb 14, 2022 · 6 comments · Fixed by #188

Comments

@nyikesda
Copy link
Contributor

Our vulnerability scanners raised an issue because, the operator controller allows TLS v1.0/1.1 on port 9443.
Please allow only TLS 1.2, because of the legacy versions have many vulnerabilities.
@spilchen
Copy link
Collaborator

To clarify, did you mean port 8443? If so, this is the https://github.com/brancz/kube-rbac-proxy. We currently run with 0.8.0. In the latest version, 0.11.0, they have an option to specify the TLS version (--tls-min-version). So, on the surface, it seems reasonable that we can upgrade and/or use this option.

@nyikesda
Copy link
Contributor Author

nyikesda commented Feb 17, 2022
edited
Loading

I mean this port from the kubernetes deployment resource:

        ports:
        - containerPort: 9443
          name: webhook-server
          protocol: TCP

Is it changed after 1.2.0?

@spilchen
Copy link
Collaborator

No, it is still 9443. I see the port you are asking about.

Unfortunately, I don't see anything that we can be done at this time. The operator inherits this functionality from https://github.com/kubernetes-sigs/controller-runtime. We are on an older version (0.7.2), But, even in the current release (0.11.0), it still doesn't allow the TLS to be configured. There have been a few PRs opened to try and address this but none of them have got in yet (i.e. kubernetes-sigs/controller-runtime#1620)

@nyikesda
Copy link
Contributor Author

Thanks! We will ping those PRs.

@spilchen
Copy link
Collaborator

Turns out there may be a way to set the minimum TLS version now. There was a merged PR that set the minimum TLS when starting the webhook (kubernetes-sigs/controller-runtime#1548). However, our operator doesn't call the function that was changed directly. There are a few layers of abstraction in between. So, what is missing is how to configure that from the operator. The community for the controller-runtime has had various proposals to allow this, but nothing is finalized. PR 1620 referenced above is an example. Another one is kubernetes-sigs/controller-runtime#852 looks the most promising based on recent activity.

In the mean time, I believe I can set this in our operator still. It will be a little hacky but it should be okay for now until they settle on a way to properly expose this.

I'll open a PR for this shortly.

@spilchen spilchen mentioned this issue Mar 25, 2022
Merged
@nyikesda
Copy link
Contributor Author

Thanks @spilchen !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set minimum TLS version of webhook to 1.3 spilchen/vertica-kubernetes
2 participants
@spilchen @nyikesda