$ oc create sa cron-ingress-patch-sa -n openshift-ingress-operator
This content is authored by Red Hat experts, but has not yet been tested on every supported configuration. |
This guide demonstrates how to properly patch the cluster Ingress Controllers, as well as Ingress Controllers created by the Custom Domain Operator.
This functionality allows customers to modify the tlsSecurityProfile
value on cluster Ingress Controllers.
This guide demonstrates how to apply a custom tlsSecurityProfile
, a scoped service account with the associated role and role binding, and a CronJob that the cipher changes are reapplied with 60 minutes in the event that an Ingress Controller is recreated or modified.
Review the OpenShift Documentation that explains the options for the tlsSecurityProfile
. By default, Ingress Controllers are configured to use the Intermediate
profile, which corresponds to the Intermediate Mozilla profile.
Create a service account for the CronJob to use.
A service account allows our CronJob to directly access the cluster API, without using a regular user’s credentials. To create a service account, run the following command:
$ oc create sa cron-ingress-patch-sa -n openshift-ingress-operator
Create a role and role binding that allows limited access to patch the Ingress Controllers.
Role-based access control (RBAC) is critical to ensuring security inside your cluster. Creating a role allows us to provide scoped access to only the API resources needed within the cluster. To create the role, run the following command:
$ oc create role cron-ingress-patch-role --verb=get,patch,update --resource=ingresscontroller.operator.openshift.io -n openshift-ingress-operator
Once the role has been created, you must bind the role to the service account using a role binding. To create the role binding, run the following command:
$ oc create rolebinding cron-ingress-patch-rolebinding --role=cron-ingress-patch-role --serviceaccount=openshift-ingress-operator:cron-ingress-patch-sa -n openshift-ingress-operator
Patch the Ingress Controllers.
The examples provided below add an additional cipher to the Ingress Controller’s |
Before creating the CronJob, apply the tlsSecurityProfile
configuration to validate changes.
This process depends on if you are using the Custom Domain Operator.
Clusters not using the Custom Domain Operator:
If you are only using the default Ingress Controller, and not using the Custom Domain Operator, run the following command to patch the Ingress Controller:
$ oc patch ingresscontroller/default -n openshift-ingress-operator --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"],"minTLSVersion":"VersionTLS12"}}}}'
This patch adds the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
cipher which allows access from IE 11 on Windows Server 2008 R2 when using RSA certificates.
Once you run the command, you will receive a response that looks like this:
ingresscontroller.operator.openshift.io/default patched
Clusters using the Custom Domain Operator:
Customers who are using the Custom Domain Operator need to loop through each of their Ingress Controllers to patch each one. To patch all of your cluster’s Ingress Controllers, run the following command:
$ for ic in $(oc get ingresscontroller -o name -n openshift-ingress-operator); do oc patch ${ic} -n openshift-ingress-operator --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"],"minTLSVersion":"VersionTLS12"}}}}'; done
Once you run the command, you will receive a response that looks like this:
ingresscontroller.operator.openshift.io/default patched
ingresscontroller.operator.openshift.io/custom1 patched
ingresscontroller.operator.openshift.io/custom2 patched
Create the CronJob to ensure that the TLS configuration is not overwritten.
Occasionally, the cluster’s Ingress Controllers can get recreated. In these cases, the Ingress Controller will likely not retain the tlsSecurityProfile
changes that were applied.
To ensure this does not happen, create a CronJob that goes through and updates the cluster’s Ingress Controllers.
This process depends on if you are using the Custom Domain Operator.
Clusters not using the Custom Domain Operator:
If you are not using the Custom Domain Operator, create the CronJob by running the following command:
$ cat << EOF | oc apply -f -
apiVersion: batch/v1
kind: CronJob
metadata:
name: tls-patch
namespace: openshift-ingress-operator
spec:
schedule: '@hourly'
jobTemplate:
spec:
template:
spec:
containers:
- name: tls-patch
image: registry.redhat.io/openshift4/ose-tools-rhel8:latest
args:
- /bin/sh
- '-c'
- oc patch ingresscontroller/default -n openshift-ingress-operator --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"],"minTLSVersion":"VersionTLS12"}}}}'
restartPolicy: Never
serviceAccountName: cron-ingress-patch-sa
EOF
This CronJob runs every hour and patches the Ingress Controllers, if necessary. It is important that this CronJob does not run constantly, as it can trigger reconciles that could overload the OpenShift Ingress Operator. Most of the time, the logs of the CronJob pod looks like the following example, as it will not be changing anything: Example output
|
Clusters using the Custom Domain Operator:
If you are using the Custom Domain Operator, the CronJob needs to loop through and patch each Ingress Controller. To create this CronJob, run the following command:
$ cat << EOF | oc apply -f -
apiVersion: batch/v1
kind: CronJob
metadata:
name: tls-patch
namespace: openshift-ingress-operator
spec:
schedule: '@hourly'
jobTemplate:
spec:
template:
spec:
containers:
- name: tls-patch
image: registry.redhat.io/openshift4/ose-tools-rhel8:latest
args:
- /bin/sh
- '-c'
- for ic in $(oc get ingresscontroller -o name -n openshift-ingress-operator); do oc patch ${ic} -n openshift-ingress-operator --type=merge -p '{"spec":{"tlsSecurityProfile":{"type":"Custom","custom":{"ciphers":["TLS_AES_128_GCM_SHA256","TLS_AES_256_GCM_SHA384","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES256-GCM-SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"],"minTLSVersion":"VersionTLS12"}}}}'; done
restartPolicy: Never
serviceAccountName: cron-ingress-patch-sa
EOF
This CronJob runs every hour and patches the Ingress Controllers, if necessary. It is important that this CronJob does not run constantly, as it can trigger reconciles that could overload the OpenShift Ingress Operator. Most of the time, the logs of the CronJob pod will look something like this, as it will not be changing anything: Example output
|