SSL Ciphers Vulnerable to SWEET32 used on port 10250
Article ID: 321749
Updated On:
Products
VMware Integrated OpenStack
Issue/Introduction
Your nessus scan reported cve-2016-2183 issue
Environment
7.x
Cause
VIO controllers missing configuration in kubelet service similar to VIO Manager.
Resolution
- On each controller, edit /var/lib/kubelet/config.yaml
tlsCipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- On each controller, edit /etc/systemd/system/kubelet.service.d/20-cloud.conf line with cipher-suites:
-tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECD
HE_RSA_WITH_AES_256_GCM_SHA384"
- After editing files on each controller you have to restart kubelet:
systemctl daemon-reload
systemctl restart kubelet
- And after changes to verify run command on each controller.
ps -ef | grep tls-cipher-suites | more
Note: This is what you must see on controllers when you run ;ps -ef; command:
vioadmin@controller-cm2qchdg5c [ ~ ]$ ps -ef | grep tls-cipher-suites | more
root 592 1 9 Oct24 ? 2-07:16:50 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.
conf --config=/var/lib/kubelet/config.yaml --cgroup-driver=cgroupfs --network-plugin=cni --pod-infra-container-image=vmware/pause:3.1 --resolv-conf=/run/systemd/resol
ve/resolv.conf --node-ip=192.168.0.27 --cloud-provider=vsphere --node-labels=viomachineset=controller1,openstack-control-plane=enabled --feature-gates=StartupProbe=true --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_25
6_GCM_SHA384Feedback
Yes
No
Powered by
