Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3338

Allow user to choose etcd encryption cipher

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Blocker
    • None
    • None
    • API
    • False
    • None
    • False
    • Etcd
    • Not Selected
    • 0
    • 0% 0%

    Description

      1. Proposed title of this feature request
      Allow user to choose etcd encryption cipher

      2. What is the nature and description of the request?

      Extend the list of supported ciphers in OCP, and allow customer to pick and choose from it to encrypt etcd.

      Currently customer is stuck with AES-CBC, which is not considered secured by Kubernetes documentation. 

      3. Why does the customer need this? (List the business requirements here)

      Currently OCP only allows etcd to be encrypted using AES-CBC cipher, which recently has been recommended not to use by Kubernetes documentation "encryption with aescbc is not recommended due to CBC's vulnerability to padding oracle attacks.”.

      4. List any affected packages or components.

      OCP

       

      Mind this RFE has been opened with a broad scope to either decide to support the same ciphers vanilla K8s supports or for the team to pick and choose which of those wants to provide as options in OCP.

       

      Attachments

        Activity

          People

            anachand Anandnatraj Chandramohan (Inactive)
            rh-ee-masimonm Maria Simon Marcos
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: