0

Our recent VA report shows that there are TLS/SSL Birthday attacks on 64-bit block ciphers possible on Kubernetes etcd ports.

Suggested solution is Configure the server to disable support for 3DES suite.

Our problems are :

  • How to disable support for 3DES suite?
  • How this configuration will affect to our running Kubernetes services?
  • How to Configure the server to disable support for static key cipher suites?

Here suggest a way to access only API server to access, but I dont understand how to apply it for running kubernetes instance.

Any help, suggestions will be greatly appreciated.Also note, I am not an expert net admin.

Sachith Muhandiram
  • 223
  • 4
  • 9

1 Answers1

2

The cipher suites can be set via cipher-suites parameter:

$ etcd \
  --cipher-suites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

According to here those cipher suites should be secure.

Edit :

For fixing this in running etcd in Kubernetes on Ubuntu-18.04 LTE.

edit : /etc/etcd.env add this line :

ETCD_CIPHER_SUITES=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Sachith Muhandiram
  • 223
  • 4
  • 9
Henrik Pingel
  • 9,380
  • 2
  • 28
  • 39
  • docker: Error response from daemon: Conflict. The container name "/etcd1" is already in use by container "9f4c86.....". You have to remove (or rename) that container to be able to reuse that name. – Sachith Muhandiram Oct 25 '20 at 15:24
  • 1
    That means that an etcd container is already running. You need to add that parameter to the service/start script/k8s deployment which manages your etcd cluster. It depends on your specific setup. – Henrik Pingel Oct 25 '20 at 16:16
  • Sorry for bothering, where is these scripts are located? I have Ubuntu 18.04 servers with Kubernetes v1.18.5 – Sachith Muhandiram Oct 25 '20 at 16:43
  • 1
    Sorry, as said that depends on your setup. I usually worked with managed k8s clusters. Maybe it was setup like this: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/setup-ha-etcd-with-kubeadm/ – Henrik Pingel Oct 26 '20 at 09:51
  • Yes, its not your fault. I added that part to make it easy for someone. Here we have baremetal servers. Its really hard to find solutions and also we are newbies for kubernetes. – Sachith Muhandiram Oct 26 '20 at 10:00