Purpose
By default, the kube-apiserver in Kubernetes accepts requests from clients using TLS v1.2 ciphers. In some circumstances, you may wish to disable this medium-strength cipher and only accept the strong TLS v.1.3 cipher.
Steps
NOTE: These instructions were tested on BCM 10.24.11a and Kubernetes 1.29.
The kube-apiserver daemon accepts the “tls-min-version” flag to set the minimum version.
In Base Command Manager, this may be applied using the following commands on the headnode:
# cmsh % configurationoverlay % use kube-default-master % roles % use kubelet % options /etc/kubernetes/manifests/kube-apiserver.yaml set tls-min-version=VersionTLS13 % commit
After a short period, the kube-apiserver service will restart with the new flag.
Confirming the Change
You may confirm the accepted ciphers with the following script.
# cat check-cmd-ssl.sh #!/bin/bash server="master:10443" for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do /cm/local/apps/openssl/bin/openssl s_client -connect $server -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c" done done
Example Output (truncated for brevity):
tls1_3: ECDHE-ECDSA-AES256-GCM-SHA384 tls1_3: ECDHE-RSA-AES256-GCM-SHA384 tls1_3: DHE-DSS-AES256-GCM-SHA384 tls1_3: DHE-RSA-AES256-GCM-SHA384 tls1_3: ECDHE-ECDSA-CHACHA20-POLY1305 tls1_3: ECDHE-RSA-CHACHA20-POLY1305 tls1_3: DHE-RSA-CHACHA20-POLY1305 tls1_3: ECDHE-ECDSA-AES256-CCM8 tls1_3: ECDHE-ECDSA-AES256-CCM tls1_3: DHE-RSA-AES256-CCM8 tls1_3: DHE-RSA-AES256-CCM tls1_3: ECDHE-ECDSA-ARIA256-GCM-SHA384 tls1_3: ECDHE-ARIA256-GCM-SHA384