背景
在公网暴露apiservice的6443端口被扫描出不安全 Cipher Suite,需要关闭。
Kubernetes 1.16版本 NMAP 默认扫描出以下结果:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
# 扫描命令
nmap -p 6443 --script=ssl-enum-ciphers.nse 192.168.56.104
####################################################################
# Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-03 19:55 CST
# Nmap scan report for 192.168.56.104
# Host is up (0.000071s latency).
#
# PORT STATE SERVICE
# 6443/tcp open sun-sr-https
# | ssl-enum-ciphers:
# | TLSv1.2:
# | ciphers:
# | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
# | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
# | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
# | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
# | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
# | compressors:
# | NULL
# | cipher preference: server
# | warnings:
# | 64-bit block cipher 3DES vulnerable to SWEET32 attack
# | Forward Secrecy not supported by any cipher
# |_ least strength: C
#
# Nmap done: 1 IP address (1 host up) scanned in 0.19 seconds
###############################################################
|
上述输出中,TLS_RSA_WITH_3DES_EDE_CBC_SHA 需要关闭
解决方案
API Service 和 Kubelet 可以使用 tls-cipher-suites 指定 Cipher Sutie。
默认情况下,tls-cipher-suites 默认值为空,ssl服务启动使用的 Cipher Sutie 取决于go语言版本。
Kubernetes 1.16 编译的go语言版本为1.12,参考源码 tls 包中的配置(【地址】)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
var suit2 = []string{
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
//"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
//"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
}
|
因此,解决该问题只需编辑kube-apiserver的配置文件,使用通过–tls-cipher-suites指定需要的 Cipher Suite 即可。
- –tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384