Uploaded image for project: 'OpenShift Storage'
  1. OpenShift Storage
  2. STOR-1453

TLSSecurityProfile setting for Kube RBAC cipher suites

XMLWordPrintable

    • TLSSecurityProfile setting for Kube RBAC cipher suites
    • BU Product Work
    • 2
    • False
    • None
    • False
    • Storage
    • Green
    • To Do
    • OCPSTRAT-983 - Cluster-wide cryptographic policies
    • 0% To Do, 0% In Progress, 100% Done
    • S

      Epic Goal*

      There was an epic / enhancement to create a cluster-wide TLS config that applies to all OpenShift components:

      https://issues.redhat.com/browse/OCPPLAN-4379
      https://github.com/openshift/enhancements/blob/master/enhancements/kube-apiserver/tls-config.md

      For example, this is how KCM sets --tls-cipher-suites and --tls-min-version based on the observed config:

      https://issues.redhat.com/browse/WRKLDS-252
      https://github.com/openshift/cluster-kube-controller-manager-operator/pull/506/files

      The cluster admin can change the config based on their risk profile, but if they don't change anything, there is a reasonable default.

      We should update all CSI driver operators to use this config. Right now we have a hard-coded cipher list in library-go. See OCPBUGS-2083 and OCPBUGS-4347 for background context.

       
      Why is this important? (mandatory)

      This will keep the cipher list consistent across many OpenShift components. If the default list is changed, we get that change "for free".

      It will reduce support calls from customers and backport requests when the recommended defaults change.

      It will provide flexibility to the customer, since they can set their own TLS profile settings without requiring code change for each component.

       
      Scenarios (mandatory) 

      As a cluster admin, I want to use TLSSecurityProfile to control the cipher list and minimum TLS version for all CSI driver operator sidecars, so that I can adjust the settings based on my own risk assessment.

       
      Dependencies (internal and external) (mandatory)

      None, the changes we depend on were already implemented.

       

      Contributing Teams(and contacts) (mandatory) 

      Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

      • Development - 
      • Documentation - 
      • QE - 
      • PX - 
      • Others -

      Acceptance Criteria (optional)

      Provide some (testable) examples of how we will know if we have achieved the epic goal.  

      Drawbacks or Risk (optional)

      Reasons we should consider NOT doing this such as: limited audience for the feature, feature will be superseded by other work that is planned, resulting feature will introduce substantial administrative complexity or user confusion, etc.

      Done - Checklist (mandatory)

      The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

      • CI Testing -  Basic e2e automationTests are merged and completing successfully
      • Documentation - Content development is complete.
      • QE - Test scenarios are written and executed successfully.
      • Technical Enablement - Slides are complete (if requested by PLM)
      • Engineering Stories Merged
      • All associated work items with the Epic are closed
      • Epic status should be "Release Pending" 

              jdobson@redhat.com Jonathan Dobson
              jdobson@redhat.com Jonathan Dobson
              Wei Duan Wei Duan
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 2 weeks
                  2w
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 week Time Not Required
                  1w