Merge pull request k8snetworkplumbingwg#67 from s1061123/cipher-harde…

…ning Update cipher for security hardenings
nokia · Oct 18, 2023 · adb8e47 · adb8e47
2 parents 5aa3c00 + 6b7eabd
commit adb8e47
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -92,6 +92,12 @@ func main() {
 			Addr: fmt.Sprintf("%s:%d", *address, *port),
 			TLSConfig: &tls.Config{
 				GetCertificate: keyPair.GetCertificateFunc(),
+				MinVersion: tls.VersionTLS12,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+				},
 			},
 		}
 

diff --git a/deployments/deployment.yaml b/deployments/deployment.yaml
@@ -48,7 +48,7 @@ spec:
         args:
         - --logtostderr
         - --secure-listen-address=0.0.0.0:8443
-        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+        - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
         - --upstream=http://127.0.0.1:9091/
         - --tls-private-key-file=/etc/webhook/key.pem
         - --tls-cert-file=/etc/webhook/cert.pem