kube-prometheus: Disable known insecure TLS cipher suites

2019-01-17 14:13:24 +01:00
parent 0423a7ff81
commit 6252f6e2af
3 changed files with 58 additions and 5 deletions
--- a/jsonnet/kube-prometheus/kube-prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/kube-prometheus.libsonnet
@@ -42,6 +42,31 @@ local configMapList = k.core.v1.configMapList;
  _config+:: {
    namespace: 'default',

+    tlsCipherSuites: [
+      // 'TLS_RSA_WITH_RC4_128_SHA',            // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+      // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA',       // insecure: https://access.redhat.com/articles/2548661
+      'TLS_RSA_WITH_AES_128_CBC_SHA',
+      'TLS_RSA_WITH_AES_256_CBC_SHA',
+      'TLS_RSA_WITH_AES_128_CBC_SHA256',
+      'TLS_RSA_WITH_AES_128_GCM_SHA256',
+      'TLS_RSA_WITH_AES_256_GCM_SHA384',
+      // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA',    // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+      'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
+      'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
+      // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA',      // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+      // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
+      'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
+      'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
+      'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
+      'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
+      'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
+      'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
+      'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+      'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+      'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
+      'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
+    ],
+
    cadvisorSelector: 'job="kubelet"',
    kubeletSelector: 'job="kubelet"',
    kubeStateMetricsSelector: 'job="kube-state-metrics"',