It's been a while, but I'm back in the world of IBM Cloud Private (ICP), specifically mitigating a cipher warning message from a Nessus endpoint scan.
One of my z/Linux boxes, running Red Hat Enterprise Linux, threw up a warning: -
SSL Medium Strength Cipher Suites Supported 192.168.1.242:10259 / tcp
via a Nessus endpoint scan.
I used a simple piece of detective work to find out WHAT was listening on port 10259 : -
netstat -aonp|grep 10259
which returned: -
tcp6 0 0 :::10259 :::* LISTEN 45537/hyperkube off (0.00/0/0)
to inspect the specific process ID ( PID ), which returned: -
root 45537 0.2 0.1 907488 61804 ? Ssl 11:14 0:06 /hyperkube kube-scheduler --master=https://127.0.0.1:8001 --kubeconfig=/etc/cfc/conf/kube-scheduler-config.yaml --policy-config-file=/etc/cfc/conf/scheduler-policy-config.json --use-legacy-policy-config=true --v=2 --profiling=false --leader-elect=true
describes how the SSL/TLS ciphers for kube-scheduler can be modified using the --tls-cipher-suites switch.
This document: -
Modifying Cipher Suites used by Kubernetes in IBM Cloud Private
then describes the specifics for ICP, namely updating /etc/cfc/pods/master.json to include --tls-cipher-suites for the scheduler Pod.
Once I backed up, and then edited, this file, the Pod was automatically restarted, and the Nessus scan ran cleanly.
No comments:
Post a Comment