How to enable legacy TLS versions for ingress-nginx in Rancher Kubernetes Engine (RKE) CLI and Rancher v2.x provisioned RKE Kubernetes clusters

This document (000020076) is provided subject to the disclaimer at the end of this document.

Environment

An RKE Kubernetes cluster provisioned by the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x

Situation

This article details how to enable TLS 1.1 on the ingress-nginx controller in Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned RKE Kubernetes clusters.

Pre-requisites:

For RKE CLI provisioned clusters, you will require the RKE binary and access to the cluster configuration YAML, rkestate file and kubectl access with the kubeconfig for the cluster sourced
For Rancher v2.x provisioned RKE clusters, you will require cluster owner or global admin permissions in Rancher

Resolution

Configuration for RKE CLI provisioned clusters

Edit the cluster configuration YAML file to include the ssl-protocols option for the ingress, as follows:

  ingress:
    provider: nginx
    options:
      ssl-protocols: "TLSv1.1 TLSv1.2"

2. Apply the changes to the cluster, by invoking rke up:

rke up --config <cluster configuration yaml file>

3. Verify the new configuration:

for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "cat /etc/nginx/nginx.conf | grep ssl_protocols | grep '1.1' > /dev/null 2>&1 && echo 'Good' || echo 'Bad'"; done

Configuration for Rancher-provisioned RKE clusters

Login into the Rancher UI
Go to Cluster Management
Click Edit Config for the relevant Rancher-provisioned RKE cluster
Click Edit as YAML
Include the ssl-protocols option for the ingress, as follows:

ingress:
  provider: nginx
  options:
    ssl-protocols: "TLSv1.1 TLSv1.2"

6. Click Save at the bottom of the page 7. Wait for cluster to finish upgrading 8. Explore the cluster and launch a kubectl shell 9. Run the following inside the kubectl shell to verify the new argument:

for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "cat /etc/nginx/nginx.conf | grep ssl_protocols | grep '1.1' > /dev/null 2>&1 && echo 'Good' || echo 'Bad'"; done

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.