Pass through default tls-cipher-suites #6725
Conversation
Codecov ReportBase: 9.67% // Head: 9.66% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## master #6725 +/- ##
=========================================
- Coverage 9.67% 9.66% -0.01%
=========================================
Files 139 139
Lines 10227 10228 +1
=========================================
Hits 989 989
- Misses 9034 9035 +1
Partials 204 204
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
|
Can you open a Docs PR that adds the new arguments to https://docs.k3s.io/security/hardening-guide#control-plane-execution-and-arguments please? |
|
@dereknola do you have a suggestion on how to cover this in the docs? We already ship with hardened defaults so this isn't a big change on K3s. This fix is mostly for RKE2 where the apiserver wasn't using these because we weren't passing the defaults through - only the supervisor ports was using the hardened cipher list. |
|
My understanding is that this is largely for a pull-through to RKE2 yeah? looks sane to me |
In the docs for hardening, as part of explaining the underlying code, we break out the kubeapiserver arguments K3s automatically passes. We need to at to that with the |
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
brandond
force-pushed
the
passthrough_default_ciphers
branch
from
facbc52
to
ac53a9d
Compare
Proposed Changes
Pass through default tls-cipher-suites to kube-apiserver
Types of Changes
feature request
Verification
Check reported flags passed to kube-apiserver
Testing
Linked Issues
User-Facing Change
Further Comments