Kubernetes Cluster Hardening: Set Minimum TLS Version to 1.3

We are going to harden our Kubernetes cluster to use TLS 1.3 only.

Before We Begin

We are using our Kubernetes homelab in this article.

Kubernetes v1.19 added support for TLS 1.3 ciphers.

Etcd v3.5.8 added support for TLS 1.3.

Do note that Kubernetes 1.27 uses Etcd v3.5.7, therefore you need to be on Kubernetes 1.28 that uses Etcd v3.5.8.

Set Minimum TLS Version to 1.3

TLS 1.3 is ubiquitous and has been available since 2018.

Kubernetes API Server

SSH into control planes and update the Kubernetes API server manifest file /etc/kubernetes/manifests/kube-apiserver.yaml to set the minimum TLS version to 1.3 by adding the following parameter to a container command:

- --tls-min-version=VersionTLS13

Wait for the API pod to get restarted and test it with openssl:

$ openssl s_client -connect 127.0.0.1:6443 -tls1_3

The output should include lines this like:

New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256

SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256

Kubelet

Update kubelet configuration file /var/lib/kubelet/config.yaml on all cluster nodes:

$ echo "tlsMinVersion: VersionTLS13" | sudo tee -a /var/lib/kubelet/config.yaml
$ sudo systemctl restart kubelet

Wait for the service to restart and then test it with openssl:

$ openssl s_client -connect 127.0.0.1:10250 -tls1_3

Etcd

SSH into control planes and update the Etcd server manifest file /etc/kubernetes/manifests/etcd.yaml to set the minimum TLS version to 1.3 by adding the following parameter to a container command:

- --tls-min-version=TLS1.3

Wait for the Etcd pod to get restarted and test it with openssl:

$ openssl s_client -connect 127.0.0.1:2379 -tls1_3

Refences

https://github.com/kubernetes/kubernetes/pull/90843
https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#v358-2023-04-13
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

Leave a Reply

Your email address will not be published. Required fields are marked *