https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# rke2
a
This message was deleted.
c
Kubernetes isn't Java, I'm confused why you're trying to configure Java args. Is this something you need to set in your workload pods?
l
Hi Brad. Yea I understand. We are using Dell PowerProtect Data Manager to protect RKE2 workloads and Dell has disabled old cipher(secp256r1) from their backup software. So when I try to protect RKE2 now, it fails. As part of troubleshooting, I changed the JAVA security settings in RKE2 nodes and added secp256r1 in disabled ciphers but it did not help.
c
I’m still confused what the java settings have to do with RKE2. Neither RKE2 nor Kubernetes itself is written in Java, why would changing the JAVA_SECURITY environment vars have any effect on it?
What does “protect RKE2” mean? Is this piece of software written in Java, and it is trying to connect to the Kubernetes apiserver?
l
Yes. Thats right. Its connecting to API server on port 6443
Protect means taking backups of RKE2 namespaces and PVCs
c
What even is 
secp256r1
? Rancher should support a bunch of TLS 1.2 ciphers, but only the ones that use ECDSA since we don’t use RSA keys.
l
If you see that java file in your RKE2 environment, you will notice that there is a list of disabled insecure ciphers as shown below. secp256r1 is one more insecure one which Dell backup software has disabled from their side. So finding a way to disable it from Kubernetes as well # # This property contains a list of disabled EC Named Curves that can be included # in the jdk.[tls|certpath|jar].disabledAlgorithms properties. To include this # list in any of the disabledAlgorithms properties, add the property name as # an entry. jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \ secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \ secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \ sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \ sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \ sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \ X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \ X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \ X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \ brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
c
ah its the prime256 curve, I see
Unfortunately our certificates are hardcoded to use the prime256 curve, so you will not be able to get it to work if that is disabled
RKE2 is set up to support use with only FIPS 140-2 approved ciphers, and the prime256 curve is supported by that. Can you point to some public security document that backs your requirement to not use that curve?
l
if you notice, I am editing the list of already disabled ciphers from RKE2 side. (jdk.disabled.namedCurves). So in the list, I just tried to add secp256r1 in that list. But that did not help
c
what is the actual error that you’re getting?
I don’t see that you’ve shared that yet
I’m confused, secp256r1 is what RKE2 uses for its certs, why would you add that to the disabled list?
l
Here is the error. Its not recommended to do in Prod environment but just looking for steps to disable the ciphers like its mentioned here https://forums.rancher.com/t/rancher-rke-k8s-using-tls-weak-cipher-suites-issue/19460/5
Do you know where can I add those extra_args in RKE2. Could not find as anything as described in the above doc
I was trying to update rke2.yaml file with mentioned TLS settings here but as soon as restart rke2 server, those new entries disappear. May I know under which section we should add these entries https://www.stigviewer.com/stig/rancher_government_solutions_rke2/2022-10-13/finding/V-254553
c
You cannot disable use of the prime256 curve. It is not a TLS cipher, it is an elliptic curve used for generating keys, and its use is hardcoded in RKE2.
l
Alright. Btw, we dont face any issues when I install K8 1.26/1.27 directly on linux servers.
Open in Slack
PreviousNext
Powered by