Bug 2041581
| Summary: | KubeDescheduler operator log shows "Use of insecure cipher detected" | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | RamaKasturi <knarra> |
| Component: | kube-scheduler | Assignee: | Jan Chaloupka <jchaloup> |
| Status: | CLOSED ERRATA | QA Contact: | RamaKasturi <knarra> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.10 | CC: | aos-bugs, mfojtik |
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-10 16:40:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
RamaKasturi
2022-01-17 18:16:49 UTC
Verified with build below and i see that the fix is working as expected.
[knarra@knarra verification-tests]$ oc get clusterversion
NAME VERSION AVAILABLE PROGRESSING SINCE STATUS
version 4.10.0-fc.2 True False 10h Cluster version is 4.10.0-fc.2
[knarra@knarra verification-tests]$ oc get csv -n openshift-kube-descheduler-operator
NAME DISPLAY VERSION REPLACES PHASE
clusterkubedescheduleroperator.4.10.0-202201210120 Kube Descheduler Operator 4.10.0-202201210120 Succeeded
By default the descheduler comes with the below --tls flags:
===============================================================
[knarra@knarra verification-tests]$ oc get pod cluster-5cddcc44f9-wchzs -o yaml -n openshift-kube-descheduler-operator
apiVersion: v1
kind: Pod
metadata:
annotations:
k8s.v1.cni.cncf.io/network-status: |-
[{
"name": "openshift-sdn",
"interface": "eth0",
"ips": [
"10.129.2.12"
],
"default": true,
"dns": {}
}]
k8s.v1.cni.cncf.io/networks-status: |-
[{
"name": "openshift-sdn",
"interface": "eth0",
"ips": [
"10.129.2.12"
],
"default": true,
"dns": {}
}]
kubectl.kubernetes.io/default-container: openshift-descheduler
openshift.io/scc: restricted
operator.openshift.io/force: bb4fdc75-87f1-47fe-a594-0d3bb5f4a79d
creationTimestamp: "2022-01-21T16:51:50Z"
generateName: cluster-5cddcc44f9-
labels:
app: descheduler
pod-template-hash: 5cddcc44f9
name: cluster-5cddcc44f9-wchzs
namespace: openshift-kube-descheduler-operator
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: cluster-5cddcc44f9
uid: b0021697-ef13-4622-ab30-8bc68da5c39d
resourceVersion: "194528"
uid: 63d254d5-1d0b-45a0-b105-b5c68640f381
spec:
containers:
- args:
- --policy-config-file=/policy-dir/policy.yaml
- --v=2
- --logging-format=text
- --tls-cert-file=/certs-dir/tls.crt
- --tls-private-key-file=/certs-dir/tls.key
- --descheduling-interval=3600s
- --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- --tls-min-version=VersionTLS12
descheduler operator log:
==============================
I0121 16:51:44.941349 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObserveTLSSecurityProfile' minTLSVersion changed to VersionTLS12
I0121 16:51:44.941371 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObserveTLSSecurityProfile' cipherSuites changed to ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"]
I0121 16:51:44.941381 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObservedConfigChanged' Writing updated observed config: map[string]interface{}{
+ "servingInfo": map[string]interface{}{
+ "cipherSuites": []interface{}{
+ string("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
+ string("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"),
+ string("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"),
+ string("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"),
+ string("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"),
+ string("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"),
+ },
+ "minTLSVersion": string("VersionTLS12"),
+ },
}
Change the profile to custom in apiserver and verify that it is reflected for descheduler:
============================================================================================
[knarra@knarra verification-tests]$ oc get pod cluster-7c9c8f4d4d-kgq44 -o yaml -n openshift-kube-descheduler-operator
apiVersion: v1
kind: Pod
metadata:
annotations:
k8s.v1.cni.cncf.io/network-status: |-
[{
"name": "openshift-sdn",
"interface": "eth0",
"ips": [
"10.128.2.58"
],
"default": true,
"dns": {}
}]
k8s.v1.cni.cncf.io/networks-status: |-
[{
"name": "openshift-sdn",
"interface": "eth0",
"ips": [
"10.128.2.58"
],
"default": true,
"dns": {}
}]
kubectl.kubernetes.io/default-container: openshift-descheduler
openshift.io/scc: restricted
operator.openshift.io/force: f6c1082b-7ffd-4e98-aa66-e0043fdedb74
creationTimestamp: "2022-01-21T17:23:15Z"
generateName: cluster-7c9c8f4d4d-
labels:
app: descheduler
pod-template-hash: 7c9c8f4d4d
name: cluster-7c9c8f4d4d-kgq44
namespace: openshift-kube-descheduler-operator
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: cluster-7c9c8f4d4d
uid: 91c4ef4a-60ee-41e2-a3bb-634aeb6e0edf
resourceVersion: "204717"
uid: 4c019d03-4ba7-4895-b5f7-fda33be498ad
spec:
containers:
- args:
- --policy-config-file=/policy-dir/policy.yaml
- --v=2
- --logging-format=text
- --tls-cert-file=/certs-dir/tls.crt
- --tls-private-key-file=/certs-dir/tls.key
- --descheduling-interval=3600s
- --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- --tls-min-version=VersionTLS11
- -v=2
kubedescheduler operator logs:
==================================
I0121 17:23:14.924187 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObserveTLSSecurityProfile' cipherSuites changed to ["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"]
I0121 17:23:14.924328 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObservedConfigChanged' Writing updated observed config: map[string]interface{}{
"servingInfo": map[string]interface{}{
"cipherSuites": []interface{}{
- string("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
- string("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"),
- string("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"),
- string("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"),
string("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"),
string("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"),
+ string("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"),
+ string("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
},
- "minTLSVersion": string("VersionTLS12"),
+ "minTLSVersion": string("VersionTLS11"),
},
}
Change the profile to old in apiserver and verify that it is reflected for descheduler:
============================================================================================
[knarra@knarra verification-tests]$ oc get pod cluster-6578c576d7-qms2k -o yaml -n openshift-kube-descheduler-operator
apiVersion: v1
kind: Pod
metadata:
annotations:
k8s.v1.cni.cncf.io/network-status: |-
[{
"name": "openshift-sdn",
"interface": "eth0",
"ips": [
"10.129.2.20"
],
"default": true,
"dns": {}
}]
k8s.v1.cni.cncf.io/networks-status: |-
[{
"name": "openshift-sdn",
"interface": "eth0",
"ips": [
"10.129.2.20"
],
"default": true,
"dns": {}
}]
kubectl.kubernetes.io/default-container: openshift-descheduler
openshift.io/scc: restricted
operator.openshift.io/force: 5d2157eb-fa03-4fc4-82c3-9daefc66d6dc
creationTimestamp: "2022-01-21T17:29:53Z"
generateName: cluster-6578c576d7-
labels:
app: descheduler
pod-template-hash: 6578c576d7
name: cluster-6578c576d7-qms2k
namespace: openshift-kube-descheduler-operator
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: cluster-6578c576d7
uid: 5d651028-99e6-4a83-be23-fd2d6b1a1955
resourceVersion: "210508"
uid: 2e8f2bee-97c9-4174-a176-0acb60bcdbe5
spec:
containers:
- args:
- --policy-config-file=/policy-dir/policy.yaml
- --v=2
- --logging-format=text
- --tls-cert-file=/certs-dir/tls.crt
- --tls-private-key-file=/certs-dir/tls.key
- --descheduling-interval=3600s
- --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA
- --tls-min-version=VersionTLS10
- -v=2
command:
- /bin/descheduler
kubedescheduler operator logs:
================================
I0121 17:29:53.233584 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObserveTLSSecurityProfile' cipherSuites changed to ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" "TLS_RSA_WITH_AES_128_GCM_SHA256" "TLS_RSA_WITH_AES_256_GCM_SHA384" "TLS_RSA_WITH_AES_128_CBC_SHA256" "TLS_RSA_WITH_AES_128_CBC_SHA" "TLS_RSA_WITH_AES_256_CBC_SHA" "TLS_RSA_WITH_3DES_EDE_CBC_SHA"]
I0121 17:29:53.233593 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObservedConfigChanged' Writing updated observed config: map[string]interface{}{
"servingInfo": map[string]interface{}{
"cipherSuites": []interface{}{
- string("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"),
+ string("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
- string("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"),
string("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"),
- string("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
+ string("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"),
+ string("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"),
+ string("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"),
+ string("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"),
+ string("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"),
+ string("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"),
+ string("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"),
+ string("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"),
+ string("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"),
+ string("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"),
+ string("TLS_RSA_WITH_AES_128_GCM_SHA256"),
+ string("TLS_RSA_WITH_AES_256_GCM_SHA384"),
+ string("TLS_RSA_WITH_AES_128_CBC_SHA256"),
+ string("TLS_RSA_WITH_AES_128_CBC_SHA"),
+ string("TLS_RSA_WITH_AES_256_CBC_SHA"),
+ string("TLS_RSA_WITH_3DES_EDE_CBC_SHA"),
},
- "minTLSVersion": string("VersionTLS11"),
+ "minTLSVersion": string("VersionTLS10"),
},
}
Based on the above moving bug to verified state.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |