How to enable legacy TLS versions for ingress-nginx in Rancher Kubernetes Engine (RKE) CLI and Rancher v2.x provisioned RKE Kubernetes clusters
Article Number: 000020076
Environment
An RKE Kubernetes cluster provisioned by the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x
Situation
This article details how to enable TLS 1.1 on the ingress-nginx controller in Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned RKE Kubernetes clusters.
Pre-requisites:
- For RKE CLI provisioned clusters, you will require the RKE binary and access to the cluster configuration YAML, rkestate file and kubectl access with the kubeconfig for the cluster sourced
- For Rancher v2.x provisioned RKE clusters, you will require cluster owner or global admin permissions in Rancher
Resolution
Configuration for RKE CLI provisioned clusters
- Edit the cluster configuration YAML file to include the
ssl-protocolsoption for the ingress, as follows:
ingress:
provider: nginx
options:
ssl-protocols: "TLSv1.1 TLSv1.2"
rke up:
rke up --config <cluster configuration yaml file>
for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "cat /etc/nginx/nginx.conf | grep ssl_protocols | grep '1.1' > /dev/null 2>&1 && echo 'Good' || echo 'Bad'"; done
Configuration for Rancher-provisioned RKE clusters
- Login into the Rancher UI
- Go to Cluster Management
- Click Edit Config for the relevant Rancher-provisioned RKE cluster
- Click Edit as YAML
- Include the
ssl-protocolsoption for the ingress, as follows:
ingress:
provider: nginx
options:
ssl-protocols: "TLSv1.1 TLSv1.2"
for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "cat /etc/nginx/nginx.conf | grep ssl_protocols | grep '1.1' > /dev/null 2>&1 && echo 'Good' || echo 'Bad'"; done