These instructions were tested on BCM 10.24.11a and Kubernetes 1.29.
By default, the kube-apiserver in Kubernetes accepts requests from clients using TLS v1.2 ciphers. In some circumstances you may wish to disable this medium strength cipher and only accept the strong TLS v.1.3 cipher.
The kube-apiserver daemon accepts the “tls-min-version” flag to set the minimum version.
In Base Command Manager, this may be applied using the following commands on the headnode:
cmsh
configurationoverlay
use kube-default-master
roles
use kubelet
options /etc/kubernetes/manifests/kube-apiserver.yaml set tls-min-version=VersionTLS13
commit
After a short period of time, the kube-apiserver service will restart with the new flag.
You may confirm the accepted ciphers, with the following script.
# cat check-cmd-ssl.sh
#!/bin/bash
server=”master:10443″
for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do
for c in $(openssl ciphers ‘ALL:eNULL’ | tr ‘:’ ‘ ‘); do
/cm/local/apps/openssl/bin/openssl s_client -connect $server -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e “$v:\t$c”
done
done
Example Output (truncated for brevity)
tls1_3: ECDHE-ECDSA-AES256-GCM-SHA384
tls1_3: ECDHE-RSA-AES256-GCM-SHA384
tls1_3: DHE-DSS-AES256-GCM-SHA384
tls1_3: DHE-RSA-AES256-GCM-SHA384
tls1_3: ECDHE-ECDSA-CHACHA20-POLY1305
tls1_3: ECDHE-RSA-CHACHA20-POLY1305
tls1_3: DHE-RSA-CHACHA20-POLY1305
tls1_3: ECDHE-ECDSA-AES256-CCM8
tls1_3: ECDHE-ECDSA-AES256-CCM
tls1_3: DHE-RSA-AES256-CCM8
tls1_3: DHE-RSA-AES256-CCM
tls1_3: ECDHE-ECDSA-ARIA256-GCM-SHA384
tls1_3: ECDHE-ARIA256-GCM-SHA384