This message was deleted.

what happens when you do that?

I haven't tried it yet in our new cluster, I'm doing that in test this evening once other people are off it. In our old K3s cluster we got this error when we tried it.

k3s[29118]: E0930 03:51:35.455529   29118 server.go:166]
 "Failed to listen and serve" err="http2: TLSConfig.CipherSuites is missing an HTTP/2-required
 AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)"

That was an old version of K3s though, I want to say somewhere between 1.19 and 1.21

yeah you do have to be careful about some of that, http/2 is much more prescriptive about cipher selection.

Damn, I still get that same error when I add those other cipher suites and remove the old one we have in there.

level=error msg="apiserver exited: error configuring http2: http2: TLSConfig.CipherSuites is missing an HTTP/2-required AES_128_GCM_SHA256 cipher (need at least one of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)"

Do you know if that is documented anywhere that we can point our security folks to? This says at least the kubelet should work with a subset of those cipher suites, but it did not work when I took it out of the

--kubelet-arg=tls-cipher-suites=

arg or

--kube-apiserver-arg=tls-cipher-suites=

in /etc/systemd/system/k3s.service

This is core Kubernetes stuff, it would be either documented upstream in Kubernetes or in the http/2 standard itself since that is what dictates the cipher suites.

Looks like you answered this question a year and a half ago, haha. Guess we're stuck with that Cipher suite https://github.com/rancher/rke2/discussions/4125#discussioncomment-5653052

I thought it looked familiar lol