Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated VPA admission-controller to have adjustable minimum TLS version and TLS ciphers #6625

Merged
merged 1 commit into from
Mar 19, 2024

Conversation

allenmun197
Copy link
Contributor

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR allows the VPA admission-controller to have an adjustable minimum TLS version and ciphersuites. This will help people using VPA to be more secure as you can now set a minimum TLS version of 1.3 or only allow strong ciphers.

Which issue(s) this PR fixes:

Fixes #6624

Special notes for your reviewer:

I don't know the best way to create a mapping of ciphers/tls_versions to convert the string from the flag to the accepted uint16 accepted by the server params. If there is a better/cleaner solution I would be very much open to changing the code.

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Mar 12, 2024
Copy link

linux-foundation-easycla bot commented Mar 12, 2024

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: allenmun197 / name: allenmun (2cd5884)

@k8s-ci-robot k8s-ci-robot requested a review from jbartosik March 12, 2024 18:22
@k8s-ci-robot k8s-ci-robot requested a review from kgolab March 12, 2024 18:22
@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 12, 2024
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Mar 12, 2024
Copy link
Contributor

@mwielgus mwielgus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Mar 14, 2024
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 15, 2024
@allenmun197
Copy link
Contributor Author

@mwielgus fixed the formatting issue, should be good now

Copy link
Contributor

@voelzmo voelzmo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for immediately providing a PR for your issue! I have a few requests regarding the ux, where I think we can be a bit nicer to users.

@@ -32,6 +32,8 @@ up the changes: ```sudo systemctl restart kubelet.service```
for pods on their creation & updates.
1. You can specify a path for it to register as a part of the installation process
by setting `--register-by-url=true` and passing `--webhook-address` and `--webhook-port`.
1. You can specify a minimum TLS version with `--min-tls-version` with acceptable values being `tls1_0`, `tls1_1`, `tls1_2` (default), or `tls_13`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
1. You can specify a minimum TLS version with `--min-tls-version` with acceptable values being `tls1_0`, `tls1_1`, `tls1_2` (default), or `tls_13`.
1. You can specify a minimum TLS version with `--min-tls-version` with acceptable values being `tls1_0`, `tls1_1`, `tls1_2` (default), or `tls1_3`.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated typo

case "tls1_3":
tlsVersion = tls.VersionTLS13
default:
tlsVersion = tls.VersionTLS12
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is somewhat dangerous, IMHO. This code allows for arbitrary strings to be set for --min-tls-version and any typo will not result in an error, but in TLS1.2 being set. Users will never realize they're not getting what they intended. For example, if I'm setting --min-tls-version=1.3, admission-controller will silently configure TLS1.2. I think we should make it explicit to the user that they entered a value that is unknown and fail to start.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated code to default to tls1_2 and only accept tls1_2 and tls1_3. If a different value is given, we now throw a fatal exception. Error now looks like

F0318 15:31:04.356258       1 config.go:66] Unable to determine value for --min-tls-version (tls1_1), must be either tls1_2 or tls1_3

}

switch minTlsVersion {
case "tls1_0":
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a good reason to "go back" and allow for less secure TLS configurations than we do now? If not, let's not include TLS1.0 and TLS1.1 here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed TLS 1.0 and TLS 1.1

@@ -59,6 +59,8 @@ var (
tlsCertFile: flag.String("tls-cert-file", "/etc/tls-certs/serverCert.pem", "Path to server certificate PEM file."),
tlsPrivateKey: flag.String("tls-private-key", "/etc/tls-certs/serverKey.pem", "Path to server certificate key PEM file."),
}
ciphers = flag.String("tls-ciphers", "", "A comma-separated or colon-separated list of ciphers to accept. Only works when min-tls-version is set to tls1_2 or below.")
minTlsVersion = flag.String("min-tls-version", "tls1_2", "The minimum TLS version to accept. Defaults to tls1_2.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should list all allowed values here, to make it clear which values are valid without taking a look at the implementation.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated description

@allenmun197
Copy link
Contributor Author

@voelzmo Updated the PR, made the changes. LMK if there is anything else that needs to be updated.

@voelzmo
Copy link
Contributor

voelzmo commented Mar 19, 2024

Looks great, thanks!
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 19, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: allenmun197, mwielgus, voelzmo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 24fbe6e into kubernetes:master Mar 19, 2024
6 checks passed
@robbiezhang
Copy link

@voelzmo , is it fine to cherry-pick this change to vpa 1.1 release?

@voelzmo
Copy link
Contributor

voelzmo commented Jun 21, 2024

@robbiezhang I don't think we cherry-pick new features to releases. We probably would rather release a 1.2.0
@kwiesmueller @raywainman WDYT?

@robbiezhang
Copy link

@voelzmo thanks for the reply. That makes sense. Wondering what's the release cadence and 1.2 release timeline?

@kwiesmueller
Copy link
Member

Agreed. A new version would be necessary for features.

@raywainman
Copy link
Contributor

We generally try and cut releases roughly in line with every minor version release.

That being said there really isn't anything preventing us from a doing another release (except bandwidth from one of the owners!)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/vertical-pod-autoscaler cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

For VPA, make the admission-controller expose the minimum TLS version and/or the TLS ciphers
7 participants