Match EKS Optimized AMIs' TLS ciphers

[arnaldo2792]

Issue number:

Related to bottlerocket-os/bottlerocket#1667

Description of changes:

Match the TLS ciphers that the EKS Optimized AMIs use. This also helps with a problem observed in VMware variants, where the kubelet HTTPS server refused TLS connections in FIPS mode.

Testing done:

• AWS k8s 1.24, kubectl exec and kubectl logs work
• AWS k8s 1.25, kubectl exec and kubectl logs work
• AWS k8s 1.26, kubectl exec and kubectl logs work
• AWS k8s 1.27, kubectl exec and kubectl logs work
• AWS k8s 1.28, kubectl exec and kubectl logs work
• AWS k8s 1.29, kubectl exec and kubectl logs work
• AWS k8s 1.30, kubectl exec and kubectl logs work
• AWS k8s 1.31, kubectl exec and kubectl logs work
• VMware k8s 1.28, kubectl exec and kubectl logs work
• VMware k8s 1.29, kubectl exec and kubectl logs work
• VMware k8s 1.30, kubectl exec and kubectl logs work
• VMware k8s 1.31, kubectl exec and kubectl logs work

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[bcressey]

Can you verify that apiclient report cis-k8s still passes?

There's a check in the scanner for this.

[arnaldo2792]

Yes, I'll make sure I run it.

[arnaldo2792]

I ran the check in k8s 1.24 through 1.31, and all gave me similar outputs:

[ssm-user@control]$ apiclient report cis-k8s
Benchmark name:  CIS Kubernetes Benchmark (Worker Node)
Version:         v1.8.0
Reference:       https://www.cisecurity.org/benchmark/kubernetes
Benchmark level: 1
Start time:      2024-11-01T00:46:09.640704884Z

[PASS] 4.1.1     Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automatic)
[PASS] 4.1.2     Ensure that the kubelet service file ownership is set to root:root (Automatic)
[SKIP] 4.1.3     If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive (Manual)
[SKIP] 4.1.4     If proxy kubeconfig file exists ensure ownership is set to root:root (Manual)
[PASS] 4.1.5     Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive (Automatic)
[PASS] 4.1.6     Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root (Automatic)
[PASS] 4.1.7     Ensure that the certificate authorities file permissions are set to 600 or more restrictive (Automatic)
[PASS] 4.1.8     Ensure that the client certificate authorities file ownership is set to root:root (Automatic)
[PASS] 4.1.9     If the kubelet config.yaml configuration file is being used validate permissions set to 600 or more restrictive (Automatic)
[PASS] 4.1.10    If the kubelet config.yaml configuration file is being used validate file ownership is set to root:root (Automatic)
[PASS] 4.2.1     Ensure that the --anonymous-auth argument is set to false (Automatic)
[PASS] 4.2.2     Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automatic)
[PASS] 4.2.3     Ensure that the --client-ca-file argument is set as appropriate (Automatic)
[PASS] 4.2.4     Verify that the --read-only-port argument is set to 0 (Automatic)
[PASS] 4.2.5     Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Automatic)
[PASS] 4.2.6     Ensure that the --make-iptables-util-chains argument is set to true (Automatic)
[SKIP] 4.2.7     Ensure that the --hostname-override argument is not set (not valid for Bottlerocket) (Manual)
[PASS] 4.2.9     Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate (Automatic)
[SKIP] 4.2.10    Ensure that the --rotate-certificates argument is not set to false (not valid for Bottlerocket) (Manual)
[PASS] 4.2.11    Verify that the RotateKubeletServerCertificate argument is set to true (Automatic)
[PASS] 4.2.12    Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automatic)
[PASS] 4.2.13    Ensure that a limit is set on pod PIDs (Automatic)

Passed:          18
Failed:          0
Skipped:         4
Total checks:    22

Compliance check result: PASS
[ssm-user@control]$

None of them showed any Failed.

[bcressey]

From the Go 1.22 release notes

By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes. This change can be reverted with the tlsrsakex=1 GODEBUG setting.

So I expect these last two can't actually be negotiated unless we took special steps to allow it, but that should be fine.

[bcressey]

Any "joins cluster" tests aren't going to tell us much here; the question is whether kubectl logs and kubectl exec still work, since those connect to the kubelet server.