Bug 2002759 - Custom profile should not allow not including at least one required HTTP2 ciphersuite
Summary: Custom profile should not allow not including at least one required HTTP2 cip...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.9
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.10.0
Assignee: Damien Grisonnet
QA Contact: Ke Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-09 16:07 UTC by Pablo Alonso Rodriguez
Modified: 2022-03-12 04:38 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-12 04:38:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift kubernetes pull 1022 0 None open Bug 2002759: UPSTREAM: <carry>: verify required http2 cipher suites 2021-10-27 15:43:05 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-12 04:38:28 UTC

Description Pablo Alonso Rodriguez 2021-09-09 16:07:26 UTC
Description of problem:

If a user places a TLS configuration without TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ciphersuites, then many components including kube-apiserver and kube-controller-manager go degraded with an error message like this:

Error: error configuring http2: http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

If those ciphersuites are actually required, any custom profile must be validated so that it includes at least one of them, not start reconfiguring every component in a way that is going to doom it.


Version-Release number of selected component (if applicable):

4.9.0-rc.0

How reproducible:

Always

Steps to Reproduce:
1. Set a custom TLS profile like this:

  spec:
    audit:
      profile: Default
    tlsSecurityProfile:
      custom:
        ciphers:
        - ECDHE-ECDSA-AES256-GCM-SHA384
        - ECDHE-RSA-AES256-GCM-SHA384
        - ECDHE-ECDSA-CHACHA20-POLY1305
        - ECDHE-RSA-CHACHA20-POLY1305
        minTLSVersion: VersionTLS12
      type: Custom


Actual results:

Components are reconfigured and degrade


Expected results:

An admission controller to reject the custom TLS profile.

Additional info:

Comment 1 Stefan Schimanski 2021-09-20 08:16:14 UTC
Is this fatal for the cluster or operators just go degraded?

Comment 2 Pablo Alonso Rodriguez 2021-09-20 08:19:23 UTC
Several clusteroperators degrade in a difficult to recover manner. Worst problem is that even after fixing the configuration, many static-pod-based operators (kube-apiserver, etcd...) did not start rolling out a fixed revision but just sat down crying for the erroneous first static pod of the revision with bad setting.

So although it doesn't immediately knock down a cluster, it can cause a serious failure.

Comment 3 Michal Fojtik 2021-10-23 14:01:59 UTC
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Whiteboard if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.

Comment 4 Pablo Alonso Rodriguez 2021-10-25 07:29:18 UTC
This is still valid bug. Please review properly when possible (if that means later, I understand, bw is limited). However, this kind of automatism only causes some people to waste time fighting them.

Comment 7 Ke Wang 2021-11-08 10:58:37 UTC
$ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2021-11-04-001635   True        False         11m     Cluster version is 4.10.0-0.nightly-2021-11-04-001635

$ oc edit apiservers # Add Custom ciphers suite

# Please edit the object below. Lines beginning with a '#' will be ignored,
...
# apiservers.config.openshift.io "cluster" was not valid:
# * spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string{"ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"}: http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256)
#
apiVersion: config.openshift.io/v1
kind: APIServer
...
spec:
  audit:
    profile: Default
  tlsSecurityProfile:
    custom:
      ciphers:
      - ECDHE-ECDSA-AES256-GCM-SHA384
      - ECDHE-RSA-AES256-GCM-SHA384
      - ECDHE-ECDSA-CHACHA20-POLY1305
      - ECDHE-RSA-CHACHA20-POLY1305
      minTLSVersion: VersionTLS12
    type: Custom

We can see above error message shows with invalid ciphers suite. After the correct value was set, saved without any errors. The PR fix works as expected, so move the bug VERIFIED.

Comment 10 errata-xmlrpc 2022-03-12 04:38:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.