How to change etcd cipher suite
This document (000020123) is provided subject to the disclaimer at the end of this document.
Environment
Rancher
Situation
Hardening ETCD cluster communication
Resolution
Synopsis:
This article will walk Rancher administrators through hardening the cluster communication between etcd nodes. We'll go over configuring etcd to use specific ciphers which enable stronger encryption for securing intra-cluster etcd traffic.
Configuring etcd (rke and Rancher UI):
To make the modifications we'll be configuring our rke cluster YAML spec. This setting would be defined, then applied at the command line with the rke CLI, or alternately via the Rancher UI. From within the Rancher UI, navigate to the cluster you're looking to modify, and click edit under the 3 dot menu. From there, you should see a button labeled 'Edit as Yaml'. At the cluster YAML spec view we define the cipher-suites parameter under the etcd service definition. We recommend testing this out in a non-vital cluster before rolling out on important clusters to become familiar with the process.
services:
etcd:
extra_args:
cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
election-timeout: "5000"
heartbeat-interval: "500"
Note:
The cipher suites defined in the example could trade off speed for stronger encryption. Consider the level of ciphers in use and how they could impact the performance of an etcd cluster. Testing should be done to factor in the spec of your hosts (CPU, memory, disk, network, etc...) and the typical types of interacting with Kubernetes as well as the number of resources under management within the k8s cluster.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.