-
Bug
-
Resolution: Unresolved
-
Normal
-
4.18.z, 4.19.z, 4.20.0
-
None
Description of problem:
checked in 4.18.0-0.nightly-2025-07-07-070117/4.19.0-0.nightly-2025-07-02-143253/4.20.0-0.nightly-2025-07-07-092859, Use of insecure cipher warning info in CMO logs(it does not affect the function), example
$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.20.0-0.nightly-2025-07-07-092859 True True 42m Cluster version is 4.20.0-0.nightly-2025-07-07-092859 $ oc -n openshift-monitoring logs deploy/cluster-monitoring-operator | grep "insecure cipher" W0708 09:07:36.461485 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected. W0708 09:07:36.461517 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected. W0708 09:07:36.461525 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected. W0708 09:07:36.461529 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected. W0708 09:07:36.461535 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected. W0708 09:07:36.461548 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected. $ oc get kubeapiserver/cluster -o jsonpath='{.spec.observedConfig.servingInfo.cipherSuites}' | jq [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" ]
checked in pods, no pods use the insecure cipher, and pods cipher-suites is the same with that in kubeapiserver
$ oc -n openshift-monitoring get po -oyaml | grep -E "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256|TLS_RSA_WITH_AES_128_GCM_SHA256|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_CBC_SHA|TLS_RSA_WITH_AES_256_CBC_SHA"
no result
$ oc -n openshift-monitoring get po prometheus-k8s-0 -oyaml
- --tls-cipher-suites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Version-Release number of selected component (if applicable):
4.18+
How reproducible:
always
Steps to Reproduce:
1. check CMO logs
Actual results:
Use of insecure cipher warning info in CMO logs
Expected results:
no warning
Additional info:
# oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.18.0-0.nightly-2025-07-07-070117 True False 140m Cluster version is 4.18.0-0.nightly-2025-07-07-070117 # oc -n openshift-monitoring logs deploy/cluster-monitoring-operator | grep "insecure cipher" W0708 06:47:13.803305 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected. W0708 06:47:13.803337 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected. W0708 06:47:13.803377 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected. W0708 06:47:13.803403 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected. W0708 06:47:13.803429 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected. W0708 06:47:13.808797 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected. $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.19.0-0.nightly-2025-07-02-143253 True True 52m Cluster version is 4.19.0-0.nightly-2025-07-02-143253 $ oc -n openshift-monitoring logs deploy/cluster-monitoring-operator | grep "insecure cipher" W0708 08:58:46.867671 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected. W0708 08:58:46.868754 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected. W0708 08:58:46.868787 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_GCM_SHA256' detected. W0708 08:58:46.868812 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_GCM_SHA384' detected. W0708 08:58:46.868829 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_128_CBC_SHA' detected. W0708 08:58:46.868844 1 secure_serving.go:69] Use of insecure cipher 'TLS_RSA_WITH_AES_256_CBC_SHA' detected.