Description of problem: If a user places a TLS configuration without TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ciphersuites, then many components including kube-apiserver and kube-controller-manager go degraded with an error message like this: Error: error configuring http2: http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) If those ciphersuites are actually required, any custom profile must be validated so that it includes at least one of them, not start reconfiguring every component in a way that is going to doom it. Version-Release number of selected component (if applicable): 4.9.0-rc.0 How reproducible: Always Steps to Reproduce: 1. Set a custom TLS profile like this: spec: audit: profile: Default tlsSecurityProfile: custom: ciphers: - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 minTLSVersion: VersionTLS12 type: Custom Actual results: Components are reconfigured and degrade Expected results: An admission controller to reject the custom TLS profile. Additional info:
Is this fatal for the cluster or operators just go degraded?
Several clusteroperators degrade in a difficult to recover manner. Worst problem is that even after fixing the configuration, many static-pod-based operators (kube-apiserver, etcd...) did not start rolling out a fixed revision but just sat down crying for the erroneous first static pod of the revision with bad setting. So although it doesn't immediately knock down a cluster, it can cause a serious failure.
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Whiteboard if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.
This is still valid bug. Please review properly when possible (if that means later, I understand, bw is limited). However, this kind of automatism only causes some people to waste time fighting them.
$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2021-11-04-001635 True False 11m Cluster version is 4.10.0-0.nightly-2021-11-04-001635 $ oc edit apiservers # Add Custom ciphers suite # Please edit the object below. Lines beginning with a '#' will be ignored, ... # apiservers.config.openshift.io "cluster" was not valid: # * spec.tlsSecurityProfile.custom.ciphers: Invalid value: []string{"ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"}: http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of ECDHE-RSA-AES128-GCM-SHA256 or ECDHE-ECDSA-AES128-GCM-SHA256) # apiVersion: config.openshift.io/v1 kind: APIServer ... spec: audit: profile: Default tlsSecurityProfile: custom: ciphers: - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 minTLSVersion: VersionTLS12 type: Custom We can see above error message shows with invalid ciphers suite. After the correct value was set, saved without any errors. The PR fix works as expected, so move the bug VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056