Home > Enterprise >  Kubernetes: Disable TLS 1.0 and 1.1 on nginx ingress
Kubernetes: Disable TLS 1.0 and 1.1 on nginx ingress

Time:10-13

An existing nginx ingress named nginx-proxy running on the K8 cluster.

Now, there is a requirement from the Dev team to disable TLS 1.0, 1.1 support.

Upon searching, I could see this solution using configmap.

Do you think applying/creating a new configmap as follows to an existing nginx ingress helps me to resolve the issue?

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-proxy
data:
  ssl-protocols: "TLSv1.2 TLSv1.3"

Adding a new configmap like that to an existing nginx ingress breaks anything?. Because this is for the production website.

A piece of advice would be really helpful.

CodePudding user response:

You can follow this official document or disabling the TLS 1.0

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
data:
  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
  ssl-protocols: "TLSv1.2 TLSv1.3"

You need to update the ciphers also as perversion instead of using the default one.

You can try with the above configmap.

Also, I would recommend updating the SSL/TLS cert if you using in ingress.

If you are using the cert-manager please try deleting the secret which containing the SSL/TLS cert for ingress endpoint and try getting the cert again using the cert-manager once.

CodePudding user response:

To provide the most secure baseline configuration possible,

nginx-ingress defaults to using TLS 1.2 and 1.3 only, with a secure set of TLS ciphers. [source]

It seems ingress-nginx uses TLS 1.2 and 1.3 only by default. The snippet you added to your question can be used to enable older TLS versions - like 1.0 and 1.1.

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
data:
  ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"

[source]

You can check which versions of TLS (and ciphers) are enabled by issuing

nmap --script ssl-enum-ciphers -p 443 <ingress-nginx>

replace <ingress-nginx> with your ingress IP.

Page link:https//www.codepudding.com/Enterprise/150700.html

Prev:K8S EKS 1.21 trigger Cronjob manually
Next:Schedule a Kubernetes cronjob to run just once
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding