Configuring TLS security profiles

TLS security profiles provide a way for servers to regulate which ciphers a client can use when connecting to the server. This ensures that OKD components use cryptographic libraries that do not allow known insecure protocols, ciphers, or algorithms.

Cluster administrators can choose which TLS security profile to use for each of the following components:

  • the Ingress Controller

  • the control plane

    This includes the Kubernetes API server, OpenShift API server, OpenShift OAuth API server, and OpenShift OAuth server.

Understanding TLS security profiles

You can use a TLS (Transport Layer Security) security profile to define which TLS ciphers are required by various OKD components. The OKD TLS security profiles are based on Mozilla recommended configurations.

You can specify one of the following TLS security profiles for each component:

Table 1. TLS security profiles
ProfileDescription

Old

This profile is intended for use with legacy clients or libraries. The profile is based on the Old backward compatibility recommended configuration.

The Old profile requires a minimum TLS version of 1.0.

For the Ingress Controller, the minimum TLS version is converted from 1.0 to 1.1.

Intermediate

This profile is the recommended configuration for the majority of clients. It is the default TLS security profile for the Ingress Controller and control plane. The profile is based on the Intermediate compatibility recommended configuration.

The Intermediate profile requires a minimum TLS version of 1.2.

Modern

This profile is intended for use with modern clients that have no need for backwards compatibility. This profile is based on the Modern compatibility recommended configuration.

The Modern profile requires a minimum TLS version of 1.3.

In OKD 4.6, 4.7, and 4.8, the Modern profile is unsupported. If selected, the Intermediate profile is enabled.

The Modern profile is currently not supported.

Custom

This profile allows you to define the TLS version and ciphers to use.

Use caution when using a Custom profile, because invalid configurations can cause problems.

OKD router enables Red Hat-distributed OpenSSL default set of TLS 1.3 cipher suites. Your cluster might accept TLS 1.3 connections and cipher suites, even though TLS 1.3 is unsupported in OKD 4.6, 4.7, and 4.8.

When using one of the predefined profile types, the effective profile configuration is subject to change between releases. For example, given a specification to use the Intermediate profile deployed on release X.Y.Z, an upgrade to release X.Y.Z+1 might cause a new profile configuration to be applied, resulting in a rollout.

Viewing TLS security profile details

You can view the minimum TLS version and ciphers for the predefined TLS security profiles for each of the following components: Ingress Controller and control plane.

The effective configuration of minimum TLS version and list of ciphers for a profile might differ between components.

Procedure

  • View details for a specific TLS security profile:

    1. $ oc explain <component>.spec.tlsSecurityProfile.<profile> (1)
    1For <component>, specify ingresscontroller or apiserver. For <profile>, specify old, intermediate, or custom.

    For example, to check the ciphers included for the intermediate profile for the control plane:

    1. $ oc explain apiserver.spec.tlsSecurityProfile.intermediate

    Example output

    1. KIND: APIServer
    2. VERSION: config.openshift.io/v1
    3. DESCRIPTION:
    4. intermediate is a TLS security profile based on:
    5. https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
    6. and looks like this (yaml):
    7. ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 -
    8. TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 -
    9. ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 -
    10. ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 -
    11. ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 -
    12. DHE-RSA-AES256-GCM-SHA384 minTLSVersion: TLSv1.2
  • View all details for the tlsSecurityProfile field of a component:

    1. $ oc explain <component>.spec.tlsSecurityProfile (1)
    1For <component>, specify ingresscontroller or apiserver.

    For example, to check all details for the tlsSecurityProfile field for the Ingress Controller:

    1. $ oc explain ingresscontroller.spec.tlsSecurityProfile

    Example output

    1. KIND: IngressController
    2. VERSION: operator.openshift.io/v1
    3. RESOURCE: tlsSecurityProfile <Object>
    4. DESCRIPTION:
    5. ...
    6. FIELDS:
    7. custom <>
    8. custom is a user-defined TLS security profile. Be extremely careful using a
    9. custom profile as invalid configurations can be catastrophic. An example
    10. custom profile looks like this:
    11. ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 -
    12. ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion:
    13. TLSv1.1
    14. intermediate <>
    15. intermediate is a TLS security profile based on:
    16. https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
    17. and looks like this (yaml):
    18. ... (1)
    19. modern <>
    20. modern is a TLS security profile based on:
    21. https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility and
    22. looks like this (yaml):
    23. ... (2)
    24. NOTE: Currently unsupported.
    25. old <>
    26. old is a TLS security profile based on:
    27. https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
    28. and looks like this (yaml):
    29. ... (3)
    30. type <string>
    31. ...
    1Lists ciphers and minimum version for the intermediate profile here.
    2Lists ciphers and minimum version for the modern profile here.
    3Lists ciphers and minimum version for the old profile here.

Configuring the TLS security profile for the Ingress Controller

To configure a TLS security profile for an Ingress Controller, edit the IngressController custom resource (CR) to specify a predefined or custom TLS security profile. If a TLS security profile is not configured, the default value is based on the TLS security profile set for the API server.

Sample IngressController CR that configures the Old TLS security profile

  1. apiVersion: config.openshift.io/v1
  2. kind: IngressController
  3. ...
  4. spec:
  5. tlsSecurityProfile:
  6. old: {}
  7. type: Old
  8. ...

The TLS security profile defines the minimum TLS version and the TLS ciphers for TLS connections for Ingress Controllers.

You can see the ciphers and the minimum TLS version of the configured TLS security profile in the IngressController custom resource (CR) under Status.Tls Profile and the configured TLS security profile under Spec.Tls Security Profile. For the Custom TLS security profile, the specific ciphers and minimum TLS version are listed under both parameters.

The HAProxy Ingress Controller image does not support TLS 1.3 and because the Modern profile requires TLS 1.3, it is not supported. The Ingress Operator converts the Modern profile to Intermediate. The Ingress Operator also converts the TLS 1.0 of an Old or Custom profile to 1.1, and TLS 1.3 of a Custom profile to 1.2.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Edit the IngressController CR in the openshift-ingress-operator project to configure the TLS security profile:

    1. $ oc edit IngressController default -n openshift-ingress-operator
  2. Add the spec.tlsSecurityProfile field:

    Sample IngressController CR for a Custom profile

    1. apiVersion: operator.openshift.io/v1
    2. kind: IngressController
    3. ...
    4. spec:
    5. tlsSecurityProfile:
    6. type: Custom (1)
    7. custom: (2)
    8. ciphers: (3)
    9. - ECDHE-ECDSA-CHACHA20-POLY1305
    10. - ECDHE-RSA-CHACHA20-POLY1305
    11. - ECDHE-RSA-AES128-GCM-SHA256
    12. - ECDHE-ECDSA-AES128-GCM-SHA256
    13. minTLSVersion: VersionTLS11
    14. ...
    1Specify the TLS security profile type (Old, Intermediate, or Custom). The default is Intermediate.
    2Specify the appropriate field for the selected type:
    • old: {}

    • intermediate: {}

    • custom:

    3For the custom type, specify a list of TLS ciphers and minimum accepted TLS version.
  3. Save the file to apply the changes.

Verification

  • Verify that the profile is set in the IngressController CR:

    1. $ oc describe IngressController default -n openshift-ingress-operator

    Example output

    1. Name: default
    2. Namespace: openshift-ingress-operator
    3. Labels: <none>
    4. Annotations: <none>
    5. API Version: operator.openshift.io/v1
    6. Kind: IngressController
    7. ...
    8. Spec:
    9. ...
    10. Tls Security Profile:
    11. Custom:
    12. Ciphers:
    13. ECDHE-ECDSA-CHACHA20-POLY1305
    14. ECDHE-RSA-CHACHA20-POLY1305
    15. ECDHE-RSA-AES128-GCM-SHA256
    16. ECDHE-ECDSA-AES128-GCM-SHA256
    17. Min TLS Version: VersionTLS11
    18. Type: Custom
    19. ...

Configuring the TLS security profile for the control plane

To configure a TLS security profile for the control plane, edit the APIServer custom resource (CR) to specify a predefined or custom TLS security profile. Setting the TLS security profile in the APIServer CR propagates the setting to the following control plane components:

  • Kubernetes API server

  • OpenShift API server

  • OpenShift OAuth API server

  • OpenShift OAuth server

If a TLS security profile is not configured, the default TLS security profile is Intermediate.

The default TLS security profile for the Ingress Controller is based on the TLS security profile set for the API server.

Sample APIServer CR that configures the Old TLS security profile

  1. apiVersion: config.openshift.io/v1
  2. kind: APIServer
  3. ...
  4. spec:
  5. tlsSecurityProfile:
  6. old: {}
  7. type: Old
  8. ...

The TLS security profile defines the minimum TLS version and the TLS ciphers required to communicate with the control plane components.

You can see the configured TLS security profile in the APIServer custom resource (CR) under Spec.Tls Security Profile. For the Custom TLS security profile, the specific ciphers and minimum TLS version are listed.

The control plane does not support TLS 1.3 as the minimum TLS version; the Modern profile is not supported because it requires TLS 1.3.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Edit the default APIServer CR to configure the TLS security profile:

    1. $ oc edit APIServer cluster
  2. Add the spec.tlsSecurityProfile field:

    Sample APIServer CR for a Custom profile

    1. apiVersion: config.openshift.io/v1
    2. kind: APIServer
    3. metadata:
    4. name: cluster
    5. spec:
    6. tlsSecurityProfile:
    7. type: Custom (1)
    8. custom: (2)
    9. ciphers: (3)
    10. - ECDHE-ECDSA-CHACHA20-POLY1305
    11. - ECDHE-RSA-CHACHA20-POLY1305
    12. - ECDHE-RSA-AES128-GCM-SHA256
    13. - ECDHE-ECDSA-AES128-GCM-SHA256
    14. minTLSVersion: VersionTLS11
    1Specify the TLS security profile type (Old, Intermediate, or Custom). The default is Intermediate.
    2Specify the appropriate field for the selected type:
    • old: {}

    • intermediate: {}

    • custom:

    3For the custom type, specify a list of TLS ciphers and minimum accepted TLS version.
  3. Save the file to apply the changes.

Verification

  • Verify that the TLS security profile is set in the APIServer CR:

    1. $ oc describe apiserver cluster

    Example output

    1. Name: cluster
    2. Namespace:
    3. ...
    4. API Version: config.openshift.io/v1
    5. Kind: APIServer
    6. ...
    7. Spec:
    8. Audit:
    9. Profile: Default
    10. Tls Security Profile:
    11. Custom:
    12. Ciphers:
    13. ECDHE-ECDSA-CHACHA20-POLY1305
    14. ECDHE-RSA-CHACHA20-POLY1305
    15. ECDHE-RSA-AES128-GCM-SHA256
    16. ECDHE-ECDSA-AES128-GCM-SHA256
    17. Min TLS Version: VersionTLS11
    18. Type: Custom
    19. ...