Merge pull request #1765 from csschwe/support_tls_min_version

Feature Request #1741: Adding support for tls minimum version
2024-06-07 19:41:36 +00:00 · 2020-05-07 08:24:10 -07:00 · 2020-05-07 08:24:10 -07:00 · 904af8fce7
commit 904af8fce7
parent cb4b34763e ca9c9c2e1e
3 changed files with 33 additions and 1 deletions
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@ -21,6 +21,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 	"k8s.io/apimachinery/pkg/util/net"
+	kubeapiserverflag "k8s.io/component-base/cli/flag"
 	"k8s.io/kubernetes/pkg/master"

 	_ "github.com/go-sql-driver/mysql" // ensure we have mysql
@ -183,6 +184,20 @@ func run(app *cli.Context, cfg *cmds.Server) error {
 		serverConfig.ControlConfig.Disables["ccm"] = true
 	}

+	TLSMinVersion := getArgValueFromList("tls-min-version", cfg.ExtraAPIArgs)
+	serverConfig.ControlConfig.TLSMinVersion, err = kubeapiserverflag.TLSVersion(TLSMinVersion)
+	if err != nil {
+		return errors.Wrapf(err, "Invalid TLS Version %s: %v", TLSMinVersion, err)
+	}
+
+	TLSCipherSuites := []string{getArgValueFromList("tls-cipher-suites", cfg.ExtraAPIArgs)}
+	if len(TLSCipherSuites) != 0 && TLSCipherSuites[0] != "" {
+		serverConfig.ControlConfig.TLSCipherSuites, err = kubeapiserverflag.TLSCipherSuites(TLSCipherSuites)
+		if err != nil {
+			return errors.Wrapf(err, "Invalid TLS Cipher Suites %s: %v", TLSCipherSuites, err)
+		}
+	}
+
 	logrus.Info("Starting k3s ", app.App.Version)
 	notifySocket := os.Getenv("NOTIFY_SOCKET")
 	os.Unsetenv("NOTIFY_SOCKET")
@ -240,3 +255,16 @@ func knownIPs(ips []string) []string {
 	}
 	return ips
 }
+
+func getArgValueFromList(searchArg string, argList []string) string {
+	var value string
+	for _, arg := range argList {
+		splitArg := strings.SplitN(arg, "=", 2)
+		if splitArg[0] == searchArg {
+			value = splitArg[1]
+			// break if we found our value
+			break
+		}
+	}
+	return value
+}
--- a/pkg/cluster/https.go
+++ b/pkg/cluster/https.go
@ -33,7 +33,9 @@ func (c *Cluster) newListener(ctx context.Context) (net.Listener, http.Handler,
 		CN:           "k3s",
 		Organization: []string{"k3s"},
 		TLSConfig: tls.Config{
-			ClientAuth: tls.RequestClientCert,
+			ClientAuth:   tls.RequestClientCert,
+			MinVersion:   c.config.TLSMinVersion,
+			CipherSuites: c.config.TLSCipherSuites,
 		},
 		SANs: append(c.config.SANs, "localhost", "kubernetes", "kubernetes.default", "kubernetes.default.svc."+c.config.ClusterDomain),
 	})
--- a/pkg/daemons/config/types.go
+++ b/pkg/daemons/config/types.go
@ -122,6 +122,8 @@ type Control struct {
 	ClusterInit              bool
 	ClusterReset             bool
 	EncryptSecrets           bool
+	TLSMinVersion            uint16
+	TLSCipherSuites          []uint16

 	BindAddress string
 	SANs        []string