Profile Applicability:

  • Level 1

Description:
 The Kubelet is a critical component of the Kubernetes control plane responsible for managing containers and pods on each node. It communicates over HTTPS with strong cryptographic protocols to secure communication. This check ensures that the Kubelet only uses strong cryptographic ciphers for secure communication to prevent the use of weak or outdated ciphers that can be vulnerable to attacks.

Rationale:
 Using weak or outdated cryptographic ciphers can expose the cluster to vulnerabilities, such as cipher block chaining (CBC) attacks, man-in-the-middle attacks, or other forms of cryptographic compromise. By enforcing the use of strong ciphers, you ensure that the Kubelet communication is resistant to modern cryptographic threats and adheres to security best practices for data encryption.

Impact:

  • Pros:

    • Enhances security by enforcing the use of robust, modern cryptographic ciphers.

    • Reduces the risk of cryptographic attacks or exploitation of weak ciphers.

    • Ensures compliance with industry standards for secure communication.

  • Cons:

    • Requires configuration changes, which may require downtime or additional planning if not implemented correctly.

    • Some older clients or services may not support the stronger ciphers, leading to potential communication issues.

Default Value:
 By default, the Kubelet may allow weak ciphers in its TLS (Transport Layer Security) configuration if not explicitly restricted. This check ensures that only strong, up-to-date ciphers are in use.

Pre-requisites:
 Ensure that the Kubelet is configured with the correct TLS settings and that appropriate ciphers are specified to use only strong cryptographic algorithms.

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.

  2. Review the Kubelet configuration to ensure that it only allows strong cryptographic ciphers. This can be done by checking the TLS configuration settings for the Kubelet.

  3. Ensure that no weak or deprecated cryptographic ciphers (such as RC4DES, or 3DES) are listed in the Kubelet's allowed ciphers.

Using Azure CLI:

1. Verify the Kubelet's configuration for cryptographic cipher settings by reviewing the kubelet configuration file or command line options used to start the Kubelet service:

kubectl describe pod kubelet -n kube-system

2. Ensure that the Kubelet is configured with strong ciphers by checking its TLS settings:

kubelet --tls-cipher-suites=<strong-ciphers-list>

3. Check the cipher settings in the Kubelet configuration file (usually /etc/kubernetes/kubelet.conf) to ensure that only secure, up-to-date ciphers are specified.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, navigate to your AKS cluster and access the Kubelet configuration.

  2. Ensure that the Kubelet is configured to use strong cryptographic ciphers. For example, modify the kubelet configuration to include only strong ciphers in its TLS settings. The list of strong ciphers should exclude weak ciphers such as RC43DES, or DES.

  1. Apply these configurations to ensure that only strong ciphers are in use.

Using Azure CLI:

1. Check the current Kubelet configuration using:

kubectl describe configmap kubelet -n kube-system

2. Ensure that the TLS cipher suites are restricted to modern, secure ciphers:

kubelet --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

3. To update the Kubelet's cipher suite settings, edit the Kubelet configuration or the kubelet service:

  • Modify the Kubelet configuration file (e.g., /etc/kubernetes/kubelet.conf).

  • Restart the Kubelet after the changes are applied to ensure that the new cipher settings take effect.

4. Test the communication to ensure only strong ciphers are allowed by checking the cipher used in the connection:

openssl s_client -connect <kube-apiserver-endpoint>:443 -cipher <strong-cipher>

Backout Plan:

Using Azure Console:

  1. If enforcing strong ciphers causes issues with Kubernetes services or clients, revert the Kubelet settings to use weaker ciphers by modifying the TLS cipher suites configuration and restarting the Kubelet.

Using Azure CLI:

1. Revert the Kubelet configuration by restoring the TLS cipher suites to a less restrictive set:

kubelet --tls-cipher-suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

2. Restart the Kubelet after reverting the cipher settings

systemctl restart kubelet

References:

  1. Kubernetes Kubelet TLS Documentation

  2. Kubernetes Security Best Practices

  3. TLS Cipher Suites for Kubernetes