Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Kubelet) (Openshift)
Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
Risk Level: High
Cloud Entity: Node
CloudGuard Rule ID: D9.K8S.CRY.44
Covered by Spectral: No
Category: Compute
GSL LOGIC
KubernetesNode should have kubeletData.kubeletconfig.tlsCipherSuites isEmpty() or kubeletData.kubeletconfig.tlsCipherSuites contain-all ['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256' and 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' and 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305' and 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' and 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305' and 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384' and 'TLS_RSA_WITH_AES_256_GCM_SHA384' and 'TLS_RSA_WITH_AES_128_GCM_SHA256']
REMEDIATION
Follow the directions in the OpenShift documentation to configure the tlsSecurityProfile.
Node
A node is a worker machine in Kubernetes, previously known as a minion. A node may be a VM or physical machine, depending on the cluster. Each node contains the services necessary to run pods and is managed by the master components. The services on a node include the container runtime, kubelet and kube-proxy.
Compliance Frameworks
- CIS Kubernetes Benchmark v1.24
- CIS OpenShift Container Platform v4 Benchmark v1.1.0
- OpenShift Container Platform v3
Updated over 1 year ago