API Server only makes use of Strong Cryptographic Ciphers

kubernetes

Classification:

compliance

Framework:

cis-kubernetes

Control:

1.2.35

Set up the kubernetes integration.

Description

Ensure that the API server is configured to only use strong cryptographic ciphers.

Rationale

TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.

Audit

Run the following command on the master node:

ps -ef | grep kube-apiserver

Verify that the --tls-cipher-suites argument is set as outlined in the remediation procedure below.

Remediation

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --tls-cipher-suites parameter as follows, or to a subset of these values:

--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Impact

API server clients that cannot support modern cryptographic ciphers will not be able to make connections to the API server. Set the same subset in rule 4.2.13

Default value

By default the Kubernetes API server supports a wide range of TLS ciphers

References

  1. https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#23-use-secure-cipher-suites

Notes: The list chosen above should be fine for modern clients. It’s essentially the list from the Mozilla “Modern cipher” option with the ciphersuites supporting CBC mode removed, as CBC has traditionally had a lot of issues

CIS controls

Version 6 3.4 Use Only Secure Channels For Remote System Administration - Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as SSL, TLS or IPSEC.

Version 7 4.5 Use Multifactor Authentication For All Administrative Access - Use multi-factor authentication and encrypted channels for all administrative account access.