From 0a20e29f6c82d8274ceede0d6d7d0a67cb5a43c3 Mon Sep 17 00:00:00 2001 From: Suleyman Akbas Date: Wed, 27 Sep 2023 10:57:46 +0200 Subject: [PATCH] fix: use specific cipher suites for kube-rbac-proxy Signed-off-by: Suleyman Akbas --- ...ics_rbac.authorization.k8s.io_v1_role.yaml | 16 ---------- ...c.authorization.k8s.io_v1_rolebinding.yaml | 13 -------- config/rbac/kustomization.yaml | 1 - .../topolvm_node_role_n_rolebindings.yaml | 31 ------------------- controllers/topolvm_node.go | 3 +- 5 files changed, 1 insertion(+), 63 deletions(-) delete mode 100644 bundle/manifests/topolvm-metrics_rbac.authorization.k8s.io_v1_role.yaml delete mode 100644 bundle/manifests/topolvm-metrics_rbac.authorization.k8s.io_v1_rolebinding.yaml delete mode 100644 config/rbac/topolvm_node_role_n_rolebindings.yaml diff --git a/bundle/manifests/topolvm-metrics_rbac.authorization.k8s.io_v1_role.yaml b/bundle/manifests/topolvm-metrics_rbac.authorization.k8s.io_v1_role.yaml deleted file mode 100644 index 5fcebdcd5..000000000 --- a/bundle/manifests/topolvm-metrics_rbac.authorization.k8s.io_v1_role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - name: topolvm-metrics -rules: -- apiGroups: - - "" - resources: - - services - - endpoints - - pods - verbs: - - get - - list - - watch diff --git a/bundle/manifests/topolvm-metrics_rbac.authorization.k8s.io_v1_rolebinding.yaml b/bundle/manifests/topolvm-metrics_rbac.authorization.k8s.io_v1_rolebinding.yaml deleted file mode 100644 index b39fce491..000000000 --- a/bundle/manifests/topolvm-metrics_rbac.authorization.k8s.io_v1_rolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - creationTimestamp: null - name: topolvm-metrics -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: topolvm-metrics -subjects: -- kind: ServiceAccount - name: prometheus-k8s - namespace: openshift-monitoring diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 4a14d2c92..c8c6124d7 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -17,7 +17,6 @@ resources: - lvms_node_role_n_rolebindings.yaml # topolvm-node metric rbac - topolvm_metric_service_config.yaml -- topolvm_node_role_n_rolebindings.yaml - topolvm_node_service_account.yaml - topolvm_node_role.yaml - topolvm_node_role_bindings.yaml diff --git a/config/rbac/topolvm_node_role_n_rolebindings.yaml b/config/rbac/topolvm_node_role_n_rolebindings.yaml deleted file mode 100644 index c6c70907c..000000000 --- a/config/rbac/topolvm_node_role_n_rolebindings.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: topolvm-metrics - namespace: system -rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - pods - verbs: - - get - - list - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: topolvm-metrics - namespace: system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: topolvm-metrics -subjects: -- kind: ServiceAccount - name: prometheus-k8s - namespace: openshift-monitoring diff --git a/controllers/topolvm_node.go b/controllers/topolvm_node.go index a1eeb53e4..8900a7f33 100644 --- a/controllers/topolvm_node.go +++ b/controllers/topolvm_node.go @@ -335,10 +335,9 @@ func getRBACProxyContainer() *corev1.Container { args := []string{ "--secure-listen-address=0.0.0.0:8443", "--upstream=http://127.0.0.1:8080/", - "--logtostderr=true", - "--v=0", "--tls-cert-file=/var/run/secrets/serving-cert/tls.crt", "--tls-private-key-file=/var/run/secrets/serving-cert/tls.key", + "--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", } requirements := corev1.ResourceRequirements{