Description of problem: KubeDescheduler operator log shows "Use of insecure cipher detected" W0117 09:20:42.550827 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected. W0117 09:20:42.550839 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected. Version-Release number of selected component (if applicable): 4.10.0-0.nightly-2022-01-17-023213 How reproducible: Always Steps to Reproduce: 1. Install latest 4.10 cluster 2. Install 4.10 descheduler operator 3. Run "oc logs <kube_descheduler_operator_pod> -n openshift-kube-descheduler-operator Actual results: Can see that kubedescheduler uses insecure cipher suites from the logs W0117 09:20:42.550827 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256' detected. W0117 09:20:42.550839 1 secure_serving.go:69] Use of insecure cipher 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' detected. Expected results: Should not see insecure cipher suites in the descheduler logs not it should use the same. Additional info: we do not set the --tls-cipher-suites since the descheduler operator manifest is rendered by the OLM. Whereas we are discussing the descheduler operand itself. Where it makes sense to set the flag
Verified with build below and i see that the fix is working as expected. [knarra@knarra verification-tests]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-fc.2 True False 10h Cluster version is 4.10.0-fc.2 [knarra@knarra verification-tests]$ oc get csv -n openshift-kube-descheduler-operator NAME DISPLAY VERSION REPLACES PHASE clusterkubedescheduleroperator.4.10.0-202201210120 Kube Descheduler Operator 4.10.0-202201210120 Succeeded By default the descheduler comes with the below --tls flags: =============================================================== [knarra@knarra verification-tests]$ oc get pod cluster-5cddcc44f9-wchzs -o yaml -n openshift-kube-descheduler-operator apiVersion: v1 kind: Pod metadata: annotations: k8s.v1.cni.cncf.io/network-status: |- [{ "name": "openshift-sdn", "interface": "eth0", "ips": [ "10.129.2.12" ], "default": true, "dns": {} }] k8s.v1.cni.cncf.io/networks-status: |- [{ "name": "openshift-sdn", "interface": "eth0", "ips": [ "10.129.2.12" ], "default": true, "dns": {} }] kubectl.kubernetes.io/default-container: openshift-descheduler openshift.io/scc: restricted operator.openshift.io/force: bb4fdc75-87f1-47fe-a594-0d3bb5f4a79d creationTimestamp: "2022-01-21T16:51:50Z" generateName: cluster-5cddcc44f9- labels: app: descheduler pod-template-hash: 5cddcc44f9 name: cluster-5cddcc44f9-wchzs namespace: openshift-kube-descheduler-operator ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: cluster-5cddcc44f9 uid: b0021697-ef13-4622-ab30-8bc68da5c39d resourceVersion: "194528" uid: 63d254d5-1d0b-45a0-b105-b5c68640f381 spec: containers: - args: - --policy-config-file=/policy-dir/policy.yaml - --v=2 - --logging-format=text - --tls-cert-file=/certs-dir/tls.crt - --tls-private-key-file=/certs-dir/tls.key - --descheduling-interval=3600s - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - --tls-min-version=VersionTLS12 descheduler operator log: ============================== I0121 16:51:44.941349 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObserveTLSSecurityProfile' minTLSVersion changed to VersionTLS12 I0121 16:51:44.941371 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObserveTLSSecurityProfile' cipherSuites changed to ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"] I0121 16:51:44.941381 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObservedConfigChanged' Writing updated observed config: map[string]interface{}{ + "servingInfo": map[string]interface{}{ + "cipherSuites": []interface{}{ + string("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), + string("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"), + string("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"), + string("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"), + string("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"), + string("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"), + }, + "minTLSVersion": string("VersionTLS12"), + }, } Change the profile to custom in apiserver and verify that it is reflected for descheduler: ============================================================================================ [knarra@knarra verification-tests]$ oc get pod cluster-7c9c8f4d4d-kgq44 -o yaml -n openshift-kube-descheduler-operator apiVersion: v1 kind: Pod metadata: annotations: k8s.v1.cni.cncf.io/network-status: |- [{ "name": "openshift-sdn", "interface": "eth0", "ips": [ "10.128.2.58" ], "default": true, "dns": {} }] k8s.v1.cni.cncf.io/networks-status: |- [{ "name": "openshift-sdn", "interface": "eth0", "ips": [ "10.128.2.58" ], "default": true, "dns": {} }] kubectl.kubernetes.io/default-container: openshift-descheduler openshift.io/scc: restricted operator.openshift.io/force: f6c1082b-7ffd-4e98-aa66-e0043fdedb74 creationTimestamp: "2022-01-21T17:23:15Z" generateName: cluster-7c9c8f4d4d- labels: app: descheduler pod-template-hash: 7c9c8f4d4d name: cluster-7c9c8f4d4d-kgq44 namespace: openshift-kube-descheduler-operator ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: cluster-7c9c8f4d4d uid: 91c4ef4a-60ee-41e2-a3bb-634aeb6e0edf resourceVersion: "204717" uid: 4c019d03-4ba7-4895-b5f7-fda33be498ad spec: containers: - args: - --policy-config-file=/policy-dir/policy.yaml - --v=2 - --logging-format=text - --tls-cert-file=/certs-dir/tls.crt - --tls-private-key-file=/certs-dir/tls.key - --descheduling-interval=3600s - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - --tls-min-version=VersionTLS11 - -v=2 kubedescheduler operator logs: ================================== I0121 17:23:14.924187 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObserveTLSSecurityProfile' cipherSuites changed to ["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] I0121 17:23:14.924328 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObservedConfigChanged' Writing updated observed config: map[string]interface{}{ "servingInfo": map[string]interface{}{ "cipherSuites": []interface{}{ - string("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), - string("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"), - string("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"), - string("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"), string("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"), string("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"), + string("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"), + string("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), }, - "minTLSVersion": string("VersionTLS12"), + "minTLSVersion": string("VersionTLS11"), }, } Change the profile to old in apiserver and verify that it is reflected for descheduler: ============================================================================================ [knarra@knarra verification-tests]$ oc get pod cluster-6578c576d7-qms2k -o yaml -n openshift-kube-descheduler-operator apiVersion: v1 kind: Pod metadata: annotations: k8s.v1.cni.cncf.io/network-status: |- [{ "name": "openshift-sdn", "interface": "eth0", "ips": [ "10.129.2.20" ], "default": true, "dns": {} }] k8s.v1.cni.cncf.io/networks-status: |- [{ "name": "openshift-sdn", "interface": "eth0", "ips": [ "10.129.2.20" ], "default": true, "dns": {} }] kubectl.kubernetes.io/default-container: openshift-descheduler openshift.io/scc: restricted operator.openshift.io/force: 5d2157eb-fa03-4fc4-82c3-9daefc66d6dc creationTimestamp: "2022-01-21T17:29:53Z" generateName: cluster-6578c576d7- labels: app: descheduler pod-template-hash: 6578c576d7 name: cluster-6578c576d7-qms2k namespace: openshift-kube-descheduler-operator ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: cluster-6578c576d7 uid: 5d651028-99e6-4a83-be23-fd2d6b1a1955 resourceVersion: "210508" uid: 2e8f2bee-97c9-4174-a176-0acb60bcdbe5 spec: containers: - args: - --policy-config-file=/policy-dir/policy.yaml - --v=2 - --logging-format=text - --tls-cert-file=/certs-dir/tls.crt - --tls-private-key-file=/certs-dir/tls.key - --descheduling-interval=3600s - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA - --tls-min-version=VersionTLS10 - -v=2 command: - /bin/descheduler kubedescheduler operator logs: ================================ I0121 17:29:53.233584 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObserveTLSSecurityProfile' cipherSuites changed to ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" "TLS_RSA_WITH_AES_128_GCM_SHA256" "TLS_RSA_WITH_AES_256_GCM_SHA384" "TLS_RSA_WITH_AES_128_CBC_SHA256" "TLS_RSA_WITH_AES_128_CBC_SHA" "TLS_RSA_WITH_AES_256_CBC_SHA" "TLS_RSA_WITH_3DES_EDE_CBC_SHA"] I0121 17:29:53.233593 1 event.go:285] Event(v1.ObjectReference{Kind:"Deployment", Namespace:"openshift-kube-descheduler-operator", Name:"descheduler-operator", UID:"65b60839-ca23-4016-9b49-fbfc49c8bd90", APIVersion:"apps/v1", ResourceVersion:"", FieldPath:""}): type: 'Normal' reason: 'ObservedConfigChanged' Writing updated observed config: map[string]interface{}{ "servingInfo": map[string]interface{}{ "cipherSuites": []interface{}{ - string("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"), + string("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), - string("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"), string("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"), - string("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), + string("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"), + string("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"), + string("TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"), + string("TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"), + string("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"), + string("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"), + string("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"), + string("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"), + string("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"), + string("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"), + string("TLS_RSA_WITH_AES_128_GCM_SHA256"), + string("TLS_RSA_WITH_AES_256_GCM_SHA384"), + string("TLS_RSA_WITH_AES_128_CBC_SHA256"), + string("TLS_RSA_WITH_AES_128_CBC_SHA"), + string("TLS_RSA_WITH_AES_256_CBC_SHA"), + string("TLS_RSA_WITH_3DES_EDE_CBC_SHA"), }, - "minTLSVersion": string("VersionTLS11"), + "minTLSVersion": string("VersionTLS10"), }, } Based on the above moving bug to verified state.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056