Bug 1971899 - The ciphers in theTLS profiles for the kubelet, the `oc explain` output don't match the kubelet.conf file
Summary: The ciphers in theTLS profiles for the kubelet, the `oc explain` output don't...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 4.8
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.9.0
Assignee: Qi Wang
QA Contact: Weinan Liu
URL:
Whiteboard:
Depends On:
Blocks: 1973873
TreeView+ depends on / blocked
 
Reported: 2021-06-14 21:40 UTC by Michael Burke
Modified: 2021-10-18 17:34 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:34:12 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift machine-config-operator pull 2624 0 None open Bug 1971899: match tlsSecurityProfile doc with kubelet.conf file 2021-06-17 16:16:01 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:34:38 UTC

Description Michael Burke 2021-06-14 21:40:39 UTC
Description of problem:

With the new TLS profile for the kubelet, the `oc explain` output doesn't match what is showing up in the kubelet.conf file. 

```
$ oc explain kubeletconfig.spec.tlsSecurityProfile
KIND:     KubeletConfig
VERSION:  machineconfiguration.openshift.io/v1
RESOURCE: tlsSecurityProfile <Object>

<snip>
   intermediate	<>
     intermediate is a TLS security profile based on:
     https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
     and looks like this (yaml):
     ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 -
     TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 -
     ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 -
     ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 -
     ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 -
     DHE-RSA-AES256-GCM-SHA384 minTLSVersion: TLSv1.2

<snip>

   old	<>
     old is a TLS security profile based on:
     https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
     and looks like this (yaml):
     ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 -
     TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 -
     ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 -
     ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 -
     ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 -
     DHE-RSA-AES256-GCM-SHA384 - DHE-RSA-CHACHA20-POLY1305 -
     ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 -
     ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES256-SHA384 -
     ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA -
     DHE-RSA-AES128-SHA256 - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256 -
     AES256-GCM-SHA384 - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA
     - DES-CBC3-SHA minTLSVersion: TLSv1.0

```

kubeletConfig old profile, as reported in the kubelet.conf file:

```
<snip>
  "tlsCipherSuites": [
    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
    "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
    "TLS_RSA_WITH_AES_128_GCM_SHA256",
    "TLS_RSA_WITH_AES_256_GCM_SHA384",
    "TLS_RSA_WITH_AES_128_CBC_SHA256",
    "TLS_RSA_WITH_AES_128_CBC_SHA",
    "TLS_RSA_WITH_AES_256_CBC_SHA",
    "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
  ],
  "tlsMinVersion": "VersionTLS10",
```

18 listed, 29 listed in oc explain


kubeletConfig intermediate profile, as reported in the kubelet.conf file for an affected node:

```
<snip>
tlsMinVersion: VersionTLS12
tlsCipherSuites:
  - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
```

6 listed, 11 listed in 

How reproducible:
Always 

Steps to Reproduce:
1. View the oc explain kubeletconfig.spec.tlsSecurityProfile output
2. Configure the old or intermediate TLS profile using a kubeletConfig 
3. cat /etc/kubernetes/kubelet.conf on an afected node, get the list of ciphers  

Actual results:
The ciphers listed in the `oc explain` output and the ciphers listed in the kubelet.com file on the node should are different

Expected results:
The ciphers listed in the `oc explain` output and the ciphers listed in the kubelet.com file on the node should match


Additional info:

Comment 6 errata-xmlrpc 2021-10-18 17:34:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.