How to configure Automation Suite's Rke2 server to meet security requirements by updating TLS cipher suites and setting a minimum TLS version?

Issue Description:

Users may have specific security requirements or compliance standards that necessitate the removal of certain cipher suites and the enforcement of a minimum TLS version on their RKE2 server running within their Automation Suite environment.

Resolution:

To align with these security standards, you should update the configuration file of the RKE2 Server on all Automation Suite Server nodes. The following example demonstrates how to enforce a minimum TLS version of v1.2 and configure a series of strong cipher suites. However, it is important to note that specific requirements may differ. Therefore, consult with your organization's security compliance team to ensure alignment with internal security policies.

1. Edit the RKE2 Server Configuration File:
   1. Open the configuration file at /etc/rancher/rke2/config.yaml using your desired text-editor
   2. Add or update the following lines to specify the minimum TLS version and desired cipher suites for kube-controller-manager, kube-scheduler, and kube-apiserver:

kube-controller-manager-arg:
  - "tls-min-version=VersionTLS12"
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
kube-scheduler-arg:
  - "tls-min-version=VersionTLS12"
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
kube-apiserver-arg:
  - "tls-min-version=VersionTLS12"
  - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"

2. Restart RKE2 Server:

• Apply the changes by restarting the RKE2 server using the command:

systemctl restart rke2-server

3. Verify changes:

• To verify if the Cipher suites have been adequately changed, use a tool like nmap which includes a script specifically designed to enumerate the SSL/TLS cipher suites supported by a server. Here's the basic command structure to use:

nmap --script ssl-enum-ciphers -p 6443 localhost

• This command will scan the kube-apiserver component of Rke2 Server using its localhost address on port 6443 and provide a list of the SSL/TLS cipher suites that the server supports. A list of all related components modified in the steps provided in this article are listed below for reference:
  • kube-apiserver:
    • Default Port: 6443
    • Description: This is the primary API server port, used for communication with the Kubernetes API. It is the port through which most interactions with the cluster occur.
  • kube-controller-manager:
    • Default Port: 10252 (HTTP)
    • Description: This port is used for the health check and metrics of the kube-controller-manager. It is not typically exposed outside the cluster.
  • kube-scheduler:
    • Default Port: 10251 (HTTP)
    • Description: Similar to the kube-controller-manager, this port is used for the health check and metrics of the kube-scheduler. It is also usually not exposed outside the cluster.