jsonnet: disable insecure cypher suites for prometheus-adapter
Running sslscan against the prometheus adapter secure port reports two insecure SSL ciphers, ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA. This commit removes those ciphers from the list. Signed-off-by: fpetkovski <filip.petkovsky@gmail.com>
This commit is contained in:
fpetkovski
@@ -53,6 +53,23 @@ local defaults = {
|
|||||||
window: '5m',
|
window: '5m',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
tlsCipherSuites: [
|
||||||
|
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
|
||||||
|
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
|
||||||
|
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
|
||||||
|
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
|
||||||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
|
||||||
|
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
|
||||||
|
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
|
||||||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
|
||||||
|
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
|
||||||
|
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
|
||||||
|
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
|
||||||
|
'TLS_RSA_WITH_AES_128_GCM_SHA256',
|
||||||
|
'TLS_RSA_WITH_AES_256_GCM_SHA384',
|
||||||
|
'TLS_RSA_WITH_AES_128_CBC_SHA',
|
||||||
|
'TLS_RSA_WITH_AES_256_CBC_SHA',
|
||||||
|
],
|
||||||
};
|
};
|
||||||
|
|
||||||
function(params) {
|
function(params) {
|
||||||
@@ -145,6 +162,7 @@ function(params) {
|
|||||||
'--metrics-relist-interval=1m',
|
'--metrics-relist-interval=1m',
|
||||||
'--prometheus-url=' + pa._config.prometheusURL,
|
'--prometheus-url=' + pa._config.prometheusURL,
|
||||||
'--secure-port=6443',
|
'--secure-port=6443',
|
||||||
|
'--tls-cipher-suites=' + std.join(',', pa._config.tlsCipherSuites),
|
||||||
],
|
],
|
||||||
ports: [{ containerPort: 6443 }],
|
ports: [{ containerPort: 6443 }],
|
||||||
volumeMounts: [
|
volumeMounts: [
|
||||||
|
|||||||
@@ -35,6 +35,7 @@ spec:
|
|||||||
- --metrics-relist-interval=1m
|
- --metrics-relist-interval=1m
|
||||||
- --prometheus-url=http://prometheus-k8s.monitoring.svc.cluster.local:9090/
|
- --prometheus-url=http://prometheus-k8s.monitoring.svc.cluster.local:9090/
|
||||||
- --secure-port=6443
|
- --secure-port=6443
|
||||||
|
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
|
||||||
image: directxman12/k8s-prometheus-adapter:v0.8.4
|
image: directxman12/k8s-prometheus-adapter:v0.8.4
|
||||||
name: prometheus-adapter
|
name: prometheus-adapter
|
||||||
ports:
|
ports:
|
||||||
|
|||||||
Reference in New Issue
Block a user