How to configure TLS ciphers for Kubernetes components in an RKE2/K3s cluster
Article Number: 000022163
Environment
- A Rancher-provisioned or standalone RKE2 or K3s cluster
Procedure
It is possible to customise the TLS 1.0 - 1.2 cipher suites that are used by the kube-apiserver, kube-controller-manager, kube-scheduler and kubelet, via the tls-cipher-suites argument. The list of possible ciphers suites can be found in the Go documentation at https://pkg.go.dev/crypto/tls#pkg-constants Please note that it is not possible to manually configure TLS 1.3 cipher suites, which is a restriction by design in Go.
Standalone RKE2 or K3s clusters
- Add the tls-cipher-suites argument, with the list of desired cipher suites, to components via the RKE2 Or K3s configuration file on the cluster nodes. In the example below, the argument is set on the kube-controller-manager and the kube-scheduler:
kube-controller-manager-arg:
- tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
kube-scheduler-arg:
- tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
systemctl restart rke2-serveron RKE2 server nodessystemctl restart rke2-agenton RKE2 worker nodessystemctl restart k3son K3s server nodessystemctl restart k3s-agenton K3s worker nodes- Check that the TLS-ciphers have been correctly applied:
nmap --script ssl-enum-ciphers -p
Rancher-provisioned RKE2 or K3s clusters
- Navigate to Cluster Management within the Rancher UI and click Edit Config for the desired cluster
- Under Cluster Configuration click Advanced
- Click Add a new row under the Additional Args section for the desired components, and enter the tls-cipher-suites, per the following example:
tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
nmap --script ssl-enum-ciphers -p