From ef3e98807ebd38471c91ff5734d4523230f81047 Mon Sep 17 00:00:00 2001 From: Erwan Miran Date: Thu, 13 Aug 2020 11:48:13 +0200 Subject: [PATCH] tlsminversion and tlsciphersuites kubelet (#6490) --- roles/kubernetes/node/defaults/main.yml | 28 +++++++++++++++++++ .../templates/kubelet-config.v1beta1.yaml.j2 | 9 ++++++ 2 files changed, 37 insertions(+) diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml index 1bd363acc..acacb4c24 100644 --- a/roles/kubernetes/node/defaults/main.yml +++ b/roles/kubernetes/node/defaults/main.yml @@ -142,3 +142,31 @@ azure_disable_outbound_snat: false azure_use_instance_metadata: true # use specific Azure API endpoints azure_cloud: AzurePublicCloud + +## Support tls min version, Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13. +# tls_min_version: "" + +## Support tls cipher suites. +# tls_cipher_suites: +# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA +# - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 +# - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +# - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA +# - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +# - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 +# - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA +# - TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA +# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA +# - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 +# - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +# - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +# - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +# - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 +# - TLS_ECDHE_RSA_WITH_RC4_128_SHA +# - TLS_RSA_WITH_3DES_EDE_CBC_SHA +# - TLS_RSA_WITH_AES_128_CBC_SHA +# - TLS_RSA_WITH_AES_128_CBC_SHA256 +# - TLS_RSA_WITH_AES_128_GCM_SHA256 +# - TLS_RSA_WITH_AES_256_CBC_SHA +# - TLS_RSA_WITH_AES_256_GCM_SHA384 +# - TLS_RSA_WITH_RC4_128_SHA diff --git a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 index 50a2d0610..f2341e3b7 100644 --- a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 +++ b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 @@ -76,3 +76,12 @@ resolvConf: "{{ kube_resolv_conf }}" {% if inventory_hostname in groups['kube-node'] and kubelet_node_config_extra_args %} {{ kubelet_node_config_extra_args | to_nice_yaml(indent=2) }} {% endif %} +{% if tls_min_version is defined %} +tlsMinVersion: {{ tls_min_version }} +{% endif %} +{% if tls_cipher_suites is defined %} +tlsCipherSuites: +{% for tls in tls_cipher_suites %} +- {{ tls }} +{% endfor %} +{% endif %}