To configure a TLS security profile for the control plane, edit the APIServer
custom resource (CR) to specify a predefined or custom TLS security profile. Setting the TLS security profile in the APIServer
CR propagates the setting to the following control plane components:
If a TLS security profile is not configured, the default TLS security profile is Intermediate
.
|
The default TLS security profile for the ingress Controller is based on the TLS security profile set for the API server.
|
Sample APIServer
CR that configures the Old
TLS security profile
apiVersion: config.openshift.io/v1
kind: APIServer
...
spec:
tlsSecurityProfile:
old: {}
type: Old
...
The TLS security profile defines the minimum TLS version and the TLS ciphers required to communicate with the control plane components.
You can see the configured TLS security profile in the APIServer
custom resource (CR) under Spec.Tls Security Profile
. For the Custom
TLS security profile, the specific ciphers and minimum TLS version are listed.
|
The control plane does not support TLS 1.3 as the minimum TLS version; the Modern profile is not supported because it requires TLS 1.3 .
|
Procedure
-
Edit the default APIServer
CR to configure the TLS security profile:
$ oc edit APIServer cluster
-
Add the spec.tlsSecurityProfile
field:
Sample APIServer
CR for a Custom
profile
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
spec:
tlsSecurityProfile:
type: Custom (1)
custom: (2)
ciphers: (3)
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
minTLSVersion: VersionTLS11
1 |
Specify the TLS security profile type (Old , Intermediate , or Custom ). The default is Intermediate . |
2 |
Specify the appropriate field for the selected type:
-
old: {}
-
intermediate: {}
-
custom:
|
3 |
For the custom type, specify a list of TLS ciphers and minimum accepted TLS version. |
-
Save the file to apply the changes.