From 9ee49a532e9954d7344980996040c85064ec2ed7 Mon Sep 17 00:00:00 2001 From: zhzhuang-zju Date: Tue, 31 Oct 2023 17:13:53 +0800 Subject: [PATCH] set MinVersion to VersionTLS13 for tlsconfig Signed-off-by: zhzhuang-zju --- artifacts/deploy/karmada-aggregated-apiserver.yaml | 1 + artifacts/deploy/karmada-apiserver.yaml | 1 + artifacts/deploy/karmada-metrics-adapter.yaml | 1 + artifacts/deploy/karmada-search.yaml | 1 + charts/karmada/templates/karmada-aggregated-apiserver.yaml | 1 + charts/karmada/templates/karmada-apiserver.yaml | 1 + charts/karmada/templates/karmada-search.yaml | 1 + operator/pkg/controlplane/apiserver/mainfests.go | 2 ++ operator/pkg/controlplane/metricsadapter/mainfests.go | 1 + 9 files changed, 10 insertions(+) diff --git a/artifacts/deploy/karmada-aggregated-apiserver.yaml b/artifacts/deploy/karmada-aggregated-apiserver.yaml index 7e1e75225895..f1a997b8304c 100644 --- a/artifacts/deploy/karmada-aggregated-apiserver.yaml +++ b/artifacts/deploy/karmada-aggregated-apiserver.yaml @@ -46,6 +46,7 @@ spec: - --feature-gates=APIPriorityAndFairness=false - --audit-log-maxage=0 - --audit-log-maxbackup=0 + - --tls-min-version=VersionTLS13 resources: requests: cpu: 100m diff --git a/artifacts/deploy/karmada-apiserver.yaml b/artifacts/deploy/karmada-apiserver.yaml index 70b285f819fa..79f050fc5b94 100644 --- a/artifacts/deploy/karmada-apiserver.yaml +++ b/artifacts/deploy/karmada-apiserver.yaml @@ -62,6 +62,7 @@ spec: - --requestheader-username-headers=X-Remote-User - --tls-cert-file=/etc/karmada/pki/apiserver.crt - --tls-private-key-file=/etc/karmada/pki/apiserver.key + - --tls-min-version=VersionTLS13 name: karmada-apiserver image: registry.k8s.io/kube-apiserver:v1.25.4 imagePullPolicy: IfNotPresent diff --git a/artifacts/deploy/karmada-metrics-adapter.yaml b/artifacts/deploy/karmada-metrics-adapter.yaml index e1466aef949c..437b18c419b0 100644 --- a/artifacts/deploy/karmada-metrics-adapter.yaml +++ b/artifacts/deploy/karmada-metrics-adapter.yaml @@ -42,6 +42,7 @@ spec: - --audit-log-path=- - --audit-log-maxage=0 - --audit-log-maxbackup=0 + - --tls-min-version=VersionTLS13 readinessProbe: httpGet: path: /readyz diff --git a/artifacts/deploy/karmada-search.yaml b/artifacts/deploy/karmada-search.yaml index 177ed5e1eb1c..237be6b03842 100644 --- a/artifacts/deploy/karmada-search.yaml +++ b/artifacts/deploy/karmada-search.yaml @@ -46,6 +46,7 @@ spec: - --feature-gates=APIPriorityAndFairness=false - --audit-log-maxage=0 - --audit-log-maxbackup=0 + - --tls-min-version=VersionTLS13 livenessProbe: httpGet: path: /livez diff --git a/charts/karmada/templates/karmada-aggregated-apiserver.yaml b/charts/karmada/templates/karmada-aggregated-apiserver.yaml index 3acafae9741e..d84f47c2b2f6 100644 --- a/charts/karmada/templates/karmada-aggregated-apiserver.yaml +++ b/charts/karmada/templates/karmada-aggregated-apiserver.yaml @@ -65,6 +65,7 @@ spec: - --feature-gates=APIPriorityAndFairness=false - --audit-log-maxage=0 - --audit-log-maxbackup=0 + - --tls-min-version=VersionTLS13 resources: {{- toYaml .Values.aggregatedApiServer.resources | nindent 12 }} readinessProbe: diff --git a/charts/karmada/templates/karmada-apiserver.yaml b/charts/karmada/templates/karmada-apiserver.yaml index 86d62be5e8d5..a788d2d2be2b 100644 --- a/charts/karmada/templates/karmada-apiserver.yaml +++ b/charts/karmada/templates/karmada-apiserver.yaml @@ -73,6 +73,7 @@ spec: - --tls-private-key-file=/etc/kubernetes/pki/karmada.key - --max-requests-inflight={{ .Values.apiServer.maxRequestsInflight }} - --max-mutating-requests-inflight={{ .Values.apiServer.maxMutatingRequestsInflight }} + - --tls-min-version=VersionTLS13 ports: - name: http containerPort: 5443 diff --git a/charts/karmada/templates/karmada-search.yaml b/charts/karmada/templates/karmada-search.yaml index 24988029ab68..4426a622c5cf 100644 --- a/charts/karmada/templates/karmada-search.yaml +++ b/charts/karmada/templates/karmada-search.yaml @@ -78,6 +78,7 @@ spec: - --feature-gates=APIPriorityAndFairness=false - --audit-log-maxage=0 - --audit-log-maxbackup=0 + - --tls-min-version=VersionTLS13 livenessProbe: httpGet: path: /livez diff --git a/operator/pkg/controlplane/apiserver/mainfests.go b/operator/pkg/controlplane/apiserver/mainfests.go index 833ddbdc1961..80a2ae884a63 100644 --- a/operator/pkg/controlplane/apiserver/mainfests.go +++ b/operator/pkg/controlplane/apiserver/mainfests.go @@ -59,6 +59,7 @@ spec: - --max-requests-inflight=1500 - --max-mutating-requests-inflight=500 - --v=4 + - --tls-min-version=VersionTLS13 livenessProbe: failureThreshold: 8 httpGet: @@ -171,6 +172,7 @@ spec: - --feature-gates=APIPriorityAndFairness=false - --audit-log-maxage=0 - --audit-log-maxbackup=0 + - --tls-min-version=VersionTLS13 volumeMounts: - mountPath: /etc/karmada/kubeconfig name: kubeconfig diff --git a/operator/pkg/controlplane/metricsadapter/mainfests.go b/operator/pkg/controlplane/metricsadapter/mainfests.go index 823b327c3384..c8ca73757a78 100644 --- a/operator/pkg/controlplane/metricsadapter/mainfests.go +++ b/operator/pkg/controlplane/metricsadapter/mainfests.go @@ -40,6 +40,7 @@ spec: - --audit-log-path=- - --audit-log-maxage=0 - --audit-log-maxbackup=0 + - --tls-min-version=VersionTLS13 volumeMounts: - name: kubeconfig subPath: kubeconfig