Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-54212

Rule kubelet-configure-tls-cipher-suites fails with new ciphers from RFC 8446

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.18
    • Compliance Operator
    • None

      We're getting the following issues in CI that tests the API server ciphers:

       

      E2E-FAILURE: The expected default result for the e2e-cis-node-master-kubelet-configure-tls-cipher-suites rule didn't match. Expected 'PASS', Got 'FAIL'

      https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-ComplianceAsCode-content-master-4.18-e2e-aws-ocp4-cis-node-weekly-arm/1903593926393073664

            [OCPBUGS-54212] Rule kubelet-configure-tls-cipher-suites fails with new ciphers from RFC 8446

            Lance Bragstad added a comment -

            These are the ciphers configured by default on an 4.18 cluster:

             

            $ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .tlsCipherSuites'; done
[
  "TLS_AES_128_GCM_SHA256",
  "TLS_AES_256_GCM_SHA384",
  "TLS_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]

            Lance Bragstad added a comment - These are the ciphers configured by default on an 4.18 cluster:   $ for NODE_NAME in $(oc get nodes -ojsonpath= '{.items[*].metadata.name}' ); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind= "KubeletConfiguration" |.apiVersion= "kubelet.config.k8s.io/v1beta1" | .tlsCipherSuites' ; done [   "TLS_AES_128_GCM_SHA256" ,   "TLS_AES_256_GCM_SHA384" ,   "TLS_CHACHA20_POLY1305_SHA256" ,   "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" ,   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ,   "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" ,   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ,   "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" ,   "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" ]

            Lance Bragstad added a comment -

            We needed to make a similar change to the platform profile assertions:

            https://github.com/ComplianceAsCode/content/pull/12863/commits/7d9878679c2f909c85efd305f9ddd708ffe4b153

            Lance Bragstad added a comment - We needed to make a similar change to the platform profile assertions: https://github.com/ComplianceAsCode/content/pull/12863/commits/7d9878679c2f909c85efd305f9ddd708ffe4b153

            Lance Bragstad added a comment -

            This is the rule that's failing - https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml#L65-L71

             

            template:
    name: yamlfile_value
    vars:
        filepath: '/etc/kubernetes/compliance-operator/kubeletconfig/openscap-kubeletconfig'
        yamlpath: ".kubeletconfig.tlsCipherSuites[:]"
        xccdf_variable: var_kubelet_tls_cipher_suites_regex
        regex_data: true

            The variable it's using is:

            options:
  default: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"

            https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var#L14

             

            Lance Bragstad added a comment - This is the rule that's failing - https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites/rule.yml#L65-L71   template:     name: yamlfile_value     vars:         filepath: '/etc/kubernetes/compliance- operator /kubeletconfig/openscap-kubeletconfig'         yamlpath: ".kubeletconfig.tlsCipherSuites[:]"         xccdf_variable: var_kubelet_tls_cipher_suites_regex         regex_data: true The variable it's using is: options:   default : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" https://github.com/ComplianceAsCode/content/blob/master/applications/openshift/kubelet/var_kubelet_tls_cipher_suites.var#L14  

              lbragsta@redhat.com Lance Bragstad
              lbragsta@redhat.com Lance Bragstad
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: