Force TLS 1.2/1.3 support for Kubernetes access.

book

Article ID: 225693

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

A workaround to support TLS 1.2 & 1.3 for OI running on a Kubernetes Cluster.

Resolution

Installed Kubernetes cluster and DX OI on a company site.
Customer came back saying that their security scan flagged all the nodes in the cluster. The nodes were responding to TLSv1.0, TLSv1.2, SSLv1, SSLv2. However, their corporate policy only allows SSLv3, TLSv1.2. If someone else runs into similar situation, this is the workaround used:

NGINX Ingress Controller by default responds to all TLS and SSL versions. To limit to a subset of protocols, edit nginx-config ConfigMap and restart all Ingress Controller pods.

kubectl -n nginx-ingress edit cm nginx-config -o yaml

Add below lines at the end (or append to existing "data:" section):

data: ssl-protocols: SSLv3 TLSv1.2 # no comma in between

Save the edits to ConfigMap and restart the pods

for pod in $(kubectl -n nginx-ingress get pods | awk '{ print $1 }'); do kubectl -n nginx-ingress delete $pod; done