-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Operator controller allows old TLS versions #155
Comments
To clarify, did you mean port 8443? If so, this is the https://github.com/brancz/kube-rbac-proxy. We currently run with 0.8.0. In the latest version, 0.11.0, they have an option to specify the TLS version ( |
I mean this port from the kubernetes deployment resource: ports:
- containerPort: 9443
name: webhook-server
protocol: TCP Is it changed after 1.2.0? |
No, it is still 9443. I see the port you are asking about. Unfortunately, I don't see anything that we can be done at this time. The operator inherits this functionality from https://github.com/kubernetes-sigs/controller-runtime. We are on an older version (0.7.2), But, even in the current release (0.11.0), it still doesn't allow the TLS to be configured. There have been a few PRs opened to try and address this but none of them have got in yet (i.e. kubernetes-sigs/controller-runtime#1620) |
Thanks! We will ping those PRs. |
Turns out there may be a way to set the minimum TLS version now. There was a merged PR that set the minimum TLS when starting the webhook (kubernetes-sigs/controller-runtime#1548). However, our operator doesn't call the function that was changed directly. There are a few layers of abstraction in between. So, what is missing is how to configure that from the operator. The community for the controller-runtime has had various proposals to allow this, but nothing is finalized. PR 1620 referenced above is an example. Another one is kubernetes-sigs/controller-runtime#852 looks the most promising based on recent activity. In the mean time, I believe I can set this in our operator still. It will be a little hacky but it should be okay for now until they settle on a way to properly expose this. I'll open a PR for this shortly. |
Thanks @spilchen ! |
Our vulnerability scanners raised an issue because, the operator controller allows TLS v1.0/1.1 on port 9443.
Please allow only TLS 1.2, because of the legacy versions have many vulnerabilities.
The text was updated successfully, but these errors were encountered: