CNTRLPLANE-3742: Fix ciphersuite behavior misunderstanding and tweak validation recommendation#2057
Conversation
|
@vincentdephily: This pull request references CNTRLPLANE-3742 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
The behavior does not depend on the configured minVersion, just on the effectively negociated version.
This future-proofs against upstream go changes, and improves compatibility with non-go stacks.
0c9fef4 to
79ec2c0
Compare
|
@vincentdephily: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
|
||
| #### Custom Profile with TLS 1.2 Example | ||
|
|
||
| Custom cipher configuration is only supported with TLS 1.2: |
There was a problem hiding this comment.
Relax this comment.
|
|
||
| #### Invalid Configuration (Rejected) | ||
|
|
||
| The following configuration will be **rejected by validation**: |
There was a problem hiding this comment.
This should result in a warning, not a rejection
| The API modifies existing behavior by: | ||
| - Establishing the APIServer configuration as the default source for TLS configuration that all core components will consume | ||
| - Introducing the `tlsAdherence` field to control enforcement behavior | ||
| - Adding validation to reject cipher suite configuration with TLS 1.3 |
There was a problem hiding this comment.
s/reject/warn/
|
|
||
| - `TLSAdherence` feature gate implemented | ||
| - Ability to configure TLS profile and `tlsAdherence` in APIServer resource | ||
| - Validation rejects cipher suites when `minTLSVersion` is TLS 1.3 |
There was a problem hiding this comment.
s/reject/warn/
| - Ability to configure TLS profile and `tlsAdherence` in APIServer resource | ||
| - Validation rejects cipher suites when `minTLSVersion` is TLS 1.3 | ||
| - At least one core component (e.g., kube-apiserver) respects the cluster-wide profile | ||
| - Documentation of TLS 1.3 hardcoded cipher behavior |
There was a problem hiding this comment.
And hardcoded cipher preference for tls1.2
|
|
||
| **Unit Tests:** | ||
| - Validation correctly rejects cipher suites with TLS 1.3 | ||
| - Validation accepts valid configurations (ciphers with TLS 1.2, no ciphers with TLS 1.3) |
There was a problem hiding this comment.
Only check for warnings
|
@JoelSpeed @everettraven I've noted/reviewed a few places that need updating to make the whole document consistent, if ye agree with the basic direction of this. |
This is split in two commits
This prompts for code changes in APIServer's config validation, but also other places like etcd. Some are straightforward, others might require changes to distinguish error from warning.