Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: 4.20.0
Affects Version/s: 4.18.z, 4.19.z, 4.20.0
Component/s: Monitoring
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
5
Severity:
Low
Regression:
None

Target Backport Versions:

4.18.z, 4.19.z
Target Version:

4.20.0
Release Blocker:
None
Sprint:
Mon Sprint 273, MON Sprint 274, MON Sprint 275
sprint_count:
3

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
Cluster Monitoring Operator applies secure TLS settings to resolve cipher warnings::
Before this update, the Cluster Monitoring Operator logged warnings about insecure TLS ciphers, which could raise concerns about security. This release configures secure TLS settings, removing those cipher warnings from the logs and ensuring the operator reports correct, secure TLS configurations.
+
link:https://issues.redhat.com/browse/OCPBUGS-58475[OCPBUGS-58475]

Show
Cluster Monitoring Operator applies secure TLS settings to resolve cipher warnings:: Before this update, the Cluster Monitoring Operator logged warnings about insecure TLS ciphers, which could raise concerns about security. This release configures secure TLS settings, removing those cipher warnings from the logs and ensuring the operator reports correct, secure TLS configurations. + link: https://issues.redhat.com/browse/OCPBUGS-58475 [ OCPBUGS-58475 ]

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

checked in 4.18.0-0.nightly-2025-07-07-070117/4.19.0-0.nightly-2025-07-02-143253/4.20.0-0.nightly-2025-07-07-092859, Use of insecure cipher warning info in CMO logs(it does not affect the function), example

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.20.0-0.nightly-2025-07-07-092859   True        True          42m     Cluster version is 4.20.0-0.nightly-2025-07-07-092859

$ oc -n openshift-monitoring logs deploy/cluster-monitoring-operator | grep "insecure cipher"
W0708 09:07:36.461485       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected.
W0708 09:07:36.461517       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected.
W0708 09:07:36.461525       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected.
W0708 09:07:36.461529       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected.
W0708 09:07:36.461535       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected.
W0708 09:07:36.461548       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected.

$ oc get kubeapiserver/cluster -o jsonpath='{.spec.observedConfig.servingInfo.cipherSuites}'  | jq
[
  "TLS_AES_128_GCM_SHA256",
  "TLS_AES_256_GCM_SHA384",
  "TLS_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
]

checked in pods, no pods use the insecure cipher, and pods cipher-suites is the same with that in kubeapiserver

$ oc -n openshift-monitoring get po -oyaml | grep -E "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256|TLS_RSA_WITH_AES_128_GCM_SHA256|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_CBC_SHA|TLS_RSA_WITH_AES_256_CBC_SHA"
no result

$ oc -n openshift-monitoring get po prometheus-k8s-0 -oyaml
    - --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Version-Release number of selected component (if applicable):

4.18+

How reproducible:

always

Steps to Reproduce:

1. check CMO logs

Actual results:

Use of insecure cipher warning info in CMO logs

Expected results:

no warning

Additional info:

# oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.18.0-0.nightly-2025-07-07-070117   True        False         140m    Cluster version is 4.18.0-0.nightly-2025-07-07-070117

# oc -n openshift-monitoring logs deploy/cluster-monitoring-operator | grep "insecure cipher"
W0708 06:47:13.803305       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected.
W0708 06:47:13.803337       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected.
W0708 06:47:13.803377       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected.
W0708 06:47:13.803403       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected.
W0708 06:47:13.803429       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected.
W0708 06:47:13.808797       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected.

$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.19.0-0.nightly-2025-07-02-143253   True        True          52m     Cluster version is 4.19.0-0.nightly-2025-07-02-143253

$ oc -n openshift-monitoring logs deploy/cluster-monitoring-operator | grep "insecure cipher"
W0708 08:58:46.867671       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected.
W0708 08:58:46.868754       1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected.
W0708 08:58:46.868787       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected.
W0708 08:58:46.868812       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected.
W0708 08:58:46.868829       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected.
W0708 08:58:46.868844       1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected.

links to

openshift/cluster-monitoring-operator#2618: OCPBUGS-58475: Enforce secure TLS settings in CMO

openshift/cluster-monitoring-operator#2647: OCPBUGS-58475: Enforce secure TLS settings in CMO server

Assignee:: Daniel Mellado Area

Reporter:: Junqi Zhao

Need Info From:: None

Contributors:: None

QA Contact:: Junqi Zhao

Doc Contact:: Eliska Romanova

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/07/08 9:45 AM

Updated:: 2025/10/01 10:15 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates