Detections
Analytics

Ensure that the API Server only makes use of Strong Cryptographic Ciphers

MEDIUM

Description

Description:

Ensure that the API server is configured to only use strong cryptographic ciphers.

Rationale:

TLS ciphers have had a number of known vulnerabilities and weaknesses, which can reduce the protection provided by them. By default Kubernetes supports a number of TLS ciphersuites including some that have security concerns, weakening the protection provided.

API server clients that cannot support modern cryptographic ciphers will not be able to make connections to the API server.

Remediation

Edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the below parameter.

--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
.

Policy Details

Rule Reference ID: AC_K8S_0043
CSP: Kubernetes
Remediation Available: No
Domain: Data Protection
Resource: kubernetes_pod
Resource Category: Compute
Resource Type: Pod

Frameworks