Skip to content

How to edit the enabled TLS protocols or ciphers of ingress-nginx in an RKE2 cluster

Article Number: 000021887

Environment

  • A Rancher-provisioned or standalone RKE2 cluster with the ingress-nginx ingress controller

Situation

You may wish to customise the TLS protocols or ciphers enabled by the built-in ingress-nginx ingress controller (via the ssl-protocols or ssl-ciphers configuration), in an RKE2 cluster.

For example, in ingress-nginx v1.12.4, the version packaged with RKE2 v1.33+rke2r1, the default ssl-protocol is TLS v1.2. You may wish to enable the deprecated TLS v1.0 and TLS v1.1 protocols, or enable the newer TLS v1.3 protocol. This article details how to achieve this in both Rancher-provisioned and standalone RKE2 clusters.

NOTE: Changing the default ssl protocols and ciphers has security implications, in particular the use of less secure deprecated protocols or ciphers. You should proceed with caution.

Resolution

Configuration for Rancher-provisioned RKE2 clusters

  1. Login to the Rancher UI
  2. Navigate to Cluster Management
  3. Click Edit Config for the relevant Rancher-provisioned RKE2 cluster
  4. Click Additional Manifest and provide the a HelmChartConfig, with the desired ssl-protocol and ssl-cipher, for the rke2-ingress-nginx chart. In this example, the deprecated TLS versions v1.0 and v1.1 are added to the ssl-protocols, as well as the newer TLS v1.3.

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      config:
        ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
5. Click Save at the bottom of the page 6. Wait for cluster to finish updating 7. Explore the cluster and launch a kubectl shell. 8. The ssl protocols and ciphers configuration in the running ingress-nginx Pods can be confirmed by running the below command against the cluster:

for pod in $(kubectl get pods -l app.kubernetes.io/instance=rke2-ingress-nginx -n kube-system --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n kube-system exec "$pod" -- /dbg conf | grep ssl_protocols; done

Configuration for standalone RKE2 clusters

  1. On server nodes in the cluster, create a HelmChartConfig manifest, with the desired ssl-protocol and ssl-cipher, for the rke2-ingress-nginx chart, within the directory /var/lib/rancher/rke2/server/manifests/ (e.g. /var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml). In this example, the deprecated TLS versions v1.0 and v1.1 are added to the ssl-protocols, as well as the newer TLS v1.3.

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      config:
        ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
2. Wait for the rke2-ingress-nginx helm chart to finish upgrading 3. The ssl protocols and ciphers configuration in the running ingress-nginx Pods can be confirmed by running the below command against the cluster:

for pod in $(kubectl get pods -l app.kubernetes.io/instance=rke2-ingress-nginx -n kube-system --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n kube-system exec "$pod" -- /dbg conf | grep ssl_protocols; done