From fdf6fe8e6299d620abb3f5c23dcab3cb38fb9367 Mon Sep 17 00:00:00 2001 From: Lennard Klein <1254068+lennardk@users.noreply.github.com> Date: Wed, 19 Nov 2025 11:37:03 +0100 Subject: [PATCH] feat: update TLS cipher suites for API server These are the recommended values from CIS 0.12 guidelines Signed-off-by: Lennard Klein (cherry picked from commit 9ed488d09648c09a9a5c1ed6a5cd245b84cd415d) --- .../machined/pkg/controllers/k8s/control_plane_static_pod.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/app/machined/pkg/controllers/k8s/control_plane_static_pod.go b/internal/app/machined/pkg/controllers/k8s/control_plane_static_pod.go index 4a2fc39bd..350faac79 100644 --- a/internal/app/machined/pkg/controllers/k8s/control_plane_static_pod.go +++ b/internal/app/machined/pkg/controllers/k8s/control_plane_static_pod.go @@ -371,7 +371,7 @@ func (ctrl *ControlPlaneStaticPodController) manageAPIServer(ctx context.Context "enable-bootstrap-token-auth": "true", // NB: using TLS 1.2 instead of 1.3 here for interoperability, since this is an externally-facing service. "tls-min-version": "VersionTLS12", - "tls-cipher-suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256", //nolint:lll + "tls-cipher-suites": "TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", //nolint:lll "encryption-provider-config": filepath.Join(constants.KubernetesAPIServerSecretsDir, "encryptionconfig.yaml"), "audit-policy-file": filepath.Join(constants.KubernetesAPIServerConfigDir, "auditpolicy.yaml"), "audit-log-path": filepath.Join(constants.KubernetesAuditLogDir, "kube-apiserver.log"),