-
Feature
-
Resolution: Unresolved
-
Normal
-
None
-
None
Feature Overview (aka. Goal Summary)
An elevator pitch (value statement) that describes the Feature in a clear, concise way. Complete during New status.
There are currently 3 places where you can configure TLS profiles in OCP: Ingress Controller, Control Plane, or Kubelet.
This feature aims to provide consistent TLS configuration to all OpenShift components and ensure the profiles that are defined in the above-mentioned locations are strictly enforced, and all OpenShift components (core or layered products) honor the configured profiles and nothing else.
Context: When using a custom TLS profile (e.g. TLS 1.2 removing ECDHE-RSA-CHACHA20-POLY1305), we had customers reporting issues that the disabled cypher is still honored on several ports, meaning our TLS profile is not consistently enforced. So far, we've addressed each of these requests as a bug, fixing one by one. The proper approach is to ensure we consider a single source of truth (or two, there is a case to be made to keep the ingress TLS profile different from the apiserver & kubelet), and that all OCP components query the source of truth when using TLS.
Example of these bugs:
https://issues.redhat.com/browse/OCPBUGS-17008
https://issues.redhat.com/browse/OCPBUGS-17007
https://issues.redhat.com/browse/OCPBUGS-17006
We could just solve this by changing the list of ciphers each of those components use, but there is value in:
1) centralizing the list so they components stay in sync going forward
2) allowing administrators to control the list
If we do not prioritize and pursue this Feature, we will need to address these product bugs independently anyway:
https://issues.redhat.com/browse/OCPBUGS-17008
https://issues.redhat.com/browse/OCPBUGS-17007
https://issues.redhat.com/browse/OCPBUGS-17006
It is not currently clear how urgent those bugs are, so it's not clear if we can wait for this feature to be delivered in a future release (vs needing to backport fixes which would rule out a Feature based solution)
If this Feature is only work we need to do in this space, it should be prioritized highly so we can avoid doing other work for the bugs in question. If we're going to have to do something tactical to fix the bugs in the short term, with a solution we can backport to older releases, then this Feature becomes lower priority.
Goals (aka. expected user outcomes)
The observable functionality that the user now has as a result of receiving this feature. Complete during New status.
All core components that provide TLS endpoints only offer strong ciphers
Administrator can override the list of available ciphers for TLS endpoints to use, all components respect this configuration.
Requirements (aka. Acceptance Criteria):
A list of specific needs or objectives that a feature must deliver in order to be considered complete. Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc. Initial completion during Refinement status.
Same as goals:
All core components that provide TLS endpoints only offer strong ciphers, resulting in resolution of these bugs:
https://issues.redhat.com/browse/OCPBUGS-17008
https://issues.redhat.com/browse/OCPBUGS-17007
https://issues.redhat.com/browse/OCPBUGS-17006
Administrator can override the list of available ciphers for TLS endpoints to use, all components respect this configuration.
As part of this we need to decide if it must be possible to configure different sets of ciphers for different connections...specifically "internal", "external", and "infra" connections.
examples:
infra - prometheus endpoints
internal - cluster services
external - external apiserver connection, routes
Use Cases (Optional):
Include use case diagrams, main success scenarios, alternative flow scenarios. Initial completion during Refinement status.
Questions to Answer (Optional):
Include a list of refinement / architectural questions that may need to be answered before coding can begin. Initial completion during Refinement status.
Out of Scope
High-level list of items that are out of scope. Initial completion during Refinement status.
Background
Provide any additional context is needed to frame the feature. Initial completion during Refinement status.
Originally came up as bugs against some existing components that allow the user of older/weak ciphers:
https://issues.redhat.com/browse/OCPBUGS-17008
https://issues.redhat.com/browse/OCPBUGS-17007
https://issues.redhat.com/browse/OCPBUGS-17006
Customer Considerations
Provide any additional customer-specific considerations that must be made when designing and delivering the Feature. Initial completion during Refinement status.
Documentation Considerations
Provide information that needs to be considered and planned so that documentation will meet customer needs. Initial completion during Refinement status.
Interoperability Considerations
Which other projects and versions in our portfolio does this feature impact? What interoperability test scenarios should be factored by the layered products? Initial completion during Refinement status.
