We are going to harden our Kubernetes cluster to use TLS 1.3 only.
Before We Begin
We are using our Kubernetes homelab in this article.
Kubernetes v1.19 added support for TLS 1.3 ciphers.
Etcd v3.5.8 added support for TLS 1.3.
Do note that Kubernetes 1.27 uses Etcd v3.5.7, therefore you need to be on Kubernetes 1.28 that uses Etcd v3.5.8.
Set Minimum TLS Version to 1.3
TLS 1.3 is ubiquitous and has been available since 2018.
Kubernetes API Server
SSH into control planes and update the Kubernetes API server manifest file /etc/kubernetes/manifests/kube-apiserver.yaml to set the minimum TLS version to 1.3 by adding the following parameter to a container command:
- --tls-min-version=VersionTLS13
Wait for the API pod to get restarted and test it with openssl:
$ openssl s_client -connect 127.0.0.1:6443 -tls1_3
The output should include lines this like:
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Kubelet
Update kubelet configuration file /var/lib/kubelet/config.yaml on all cluster nodes:
$ echo "tlsMinVersion: VersionTLS13" | sudo tee -a /var/lib/kubelet/config.yaml $ sudo systemctl restart kubelet
Wait for the service to restart and then test it with openssl:
$ openssl s_client -connect 127.0.0.1:10250 -tls1_3
Etcd
SSH into control planes and update the Etcd server manifest file /etc/kubernetes/manifests/etcd.yaml to set the minimum TLS version to 1.3 by adding the following parameter to a container command:
- --tls-min-version=TLS1.3
Wait for the Etcd pod to get restarted and test it with openssl:
$ openssl s_client -connect 127.0.0.1:2379 -tls1_3
Refences
https://github.com/kubernetes/kubernetes/pull/90843
https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#v358-2023-04-13
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/