easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

kube-prometheus: Disable known insecure TLS cipher suites

Browse Source
This commit is contained in:
Frederic Branczyk
2019-01-17 14:13:24 +01:00
parent 0423a7ff81
commit 6252f6e2af
3 changed files with 58 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
jsonnet/kube-prometheus/kube-prometheus.libsonnet
View File

@@ -42,6 +42,31 @@ local configMapList = k.core.v1.configMapList;
_config+:: { _config+:: {
namespace: 'default', namespace: 'default',
tlsCipherSuites: [
// 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_128_CBC_SHA256',
'TLS_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
// 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
// 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
],
cadvisorSelector: 'job="kubelet"', cadvisorSelector: 'job="kubelet"',
kubeletSelector: 'job="kubelet"', kubeletSelector: 'job="kubelet"',
kubeStateMetricsSelector: 'job="kube-state-metrics"', kubeStateMetricsSelector: 'job="kube-state-metrics"',

37
jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
View File

@@ -4,6 +4,31 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
_config+:: { _config+:: {
namespace: 'default', namespace: 'default',
tlsCipherSuites: [
// 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_AES_128_CBC_SHA256',
'TLS_RSA_WITH_AES_128_GCM_SHA256',
'TLS_RSA_WITH_AES_256_GCM_SHA384',
// 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
// 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
// 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
],
kubeStateMetrics+:: { kubeStateMetrics+:: {
collectors: '', // empty string gets a default set collectors: '', // empty string gets a default set
scrapeInterval: '30s', scrapeInterval: '30s',
@@ -110,11 +135,11 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
rulesType.withVerbs(['create']); rulesType.withVerbs(['create']);
local policyRule = rulesType.new() + local policyRule = rulesType.new() +
rulesType.withApiGroups(['policy']) + rulesType.withApiGroups(['policy']) +
rulesType.withResources([ rulesType.withResources([
'poddisruptionbudgets', 'poddisruptionbudgets',
]) + ]) +
rulesType.withVerbs(['list', 'watch']); rulesType.withVerbs(['list', 'watch']);
local rules = [coreRule, extensionsRule, appsRule, batchRule, autoscalingRule, authenticationRole, authorizationRole, policyRule]; local rules = [coreRule, extensionsRule, appsRule, batchRule, autoscalingRule, authenticationRole, authorizationRole, policyRule];
@@ -135,6 +160,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.new('kube-rbac-proxy-main', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) + container.new('kube-rbac-proxy-main', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([ container.withArgs([
'--secure-listen-address=:8443', '--secure-listen-address=:8443',
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
'--upstream=http://127.0.0.1:8081/', '--upstream=http://127.0.0.1:8081/',
]) + ]) +
container.withPorts(containerPort.newNamed('https-main', 8443)) + container.withPorts(containerPort.newNamed('https-main', 8443)) +
@@ -145,6 +171,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.new('kube-rbac-proxy-self', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) + container.new('kube-rbac-proxy-self', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([ container.withArgs([
'--secure-listen-address=:9443', '--secure-listen-address=:9443',
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
'--upstream=http://127.0.0.1:8082/', '--upstream=http://127.0.0.1:8082/',
]) + ]) +
container.withPorts(containerPort.newNamed('https-self', 9443)) + container.withPorts(containerPort.newNamed('https-self', 9443)) +

1
jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
View File

@@ -107,6 +107,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.new('kube-rbac-proxy', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) + container.new('kube-rbac-proxy', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([ container.withArgs([
'--secure-listen-address=$(IP):' + $._config.nodeExporter.port, '--secure-listen-address=$(IP):' + $._config.nodeExporter.port,
'--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
'--upstream=http://127.0.0.1:' + $._config.nodeExporter.port + '/', '--upstream=http://127.0.0.1:' + $._config.nodeExporter.port + '/',
]) + ]) +
// Keep `hostPort` here, rather than in the node-exporter container // Keep `hostPort` here, rather than in the node-exporter container