Skip to content

How to set cipher-suites for etcd in RKE2

This document (000021373) is provided subject to the disclaimer at the end of this document.

Environment

  • Rancher v2.7+
  • A standalone or Rancher-provisioned RKE2 cluster

Situation

This article details how to customise the TLS cipher suites used by etcd in an RKE2 cluster

Resolution

Rancher-provisioned RKE2 clusters:

  1. Navigate to Cluster Management within the Rancher UI
  2. Click Edit Config for the relevant RKE2 cluster
  3. Click Edit as YAML at the bottom of the page
  4. Add a machineSelectorConfig block to set the desired cipher-suites via the etcd-arg field on etcd nodes, per the following example:

spec:
  [...]
  rkeConfig:
    [...]
    machineSelectorConfig
      - config:
          etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"
        matchLabels:
          rke.cattle.io/etcd-role: 'true'
[...]
5. Click Save to apply the change

Standalone RKE2 clusters:

Repeat the following process on each server node in the RKE2 cluster:

  1. Add the etcd-arg with the desired cipher-suites to the RKE2 configuration file at /etc/rancher/rke2/config.yaml file and save it, per the following example:

etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"
2. Restart the rke2-server service to apply the change:

systemctl restart rke2-server
3. Verify the change. The new configuration will be populated in the etcd configuration file.

root@susenode01:~# cat /var/lib/rancher/rke2/server/db/etcd/config
advertise-client-urls: (redacted)
cipher-suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
client-transport-security:
  cert-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.crt
  client-cert-auth: true
  key-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.key
  trusted-ca-file: /var/lib/rancher/rke2/server/tls/etcd/server-ca.crt
data-dir: /var/lib/rancher/rke2/server/db/etcd
...(omitted)

Additional Information

RKE2 Server Configuration Reference

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.