Add support for Kubelet

[atombrella]

I need to work a bit with this, but it's a good first take. Those settings are what the CIS Kubernetes Benchmarks recommend.

[janbrasna]

@atombrella Have you tried this output in a live config, without errors, and with the constraints really working (i. e. verifying via nmap, curl -vvv --tls* or ssllabs et al. that the intended values are really getting picked up correctly)? Just from glancing the output configs I see some bits that wouldn't work, probably leaving the values unconfigured.

(From the PR description I get it's just a starting point, not sure if you're ready to review… If you need to mark it as a WIP for now you can change it to a draft PR…)

[janbrasna]

@atombrella Do you need any more detailed help with the outstanding review bits to be addressed?

TODO:

• TLSv1.3 support #197 (comment)
• correct TLSv1.3 version? #197 (comment)
• ciphers as a sequence #197 (comment)
• test ciphers array length #197 (comment)
• protocols need to use golang format #197 (comment)
• json items ordering #197 (comment)
• kubelet config ordering #197 (comment)

[atombrella]

@janbrasna @gene1wood Thank you for the feedback!

I'm sorry it took me a while to get back to this. I've posted a couple of screenshots from my local setup. The SSL configurator does indeed start, and you can select either Docker has been helpful to avoid cluttering my local setup; I left a PR to add a Dockerfile to the repository, but haven't received any comments/review. The PR is #178
I did not know about the netlify functionality.

The configuration file doesn't seem to be very common. Instead, the kube-apiserver.yaml is more common. Thus, I've posted the recommendation that kube-bench
gives. The tool implements all of the guidelines from the CIS Kubernetes Benchmark.

4.2.13 If using a Kubelet config file, edit the file to set `TLSCipherSuites` to
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
or to a subset of these values.
If using executable arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service.d/10-kubeadm.conf on each worker node and
set the --tls-cipher-suites parameter as follows, or to a subset of these values.
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service

One question that is a bit vague to me, is whether I should leave out the cipher suite parameter for TLS 1.3, instead
of keeping it blank.

[janbrasna]

@atombrella I've already written the suggested array check above in #197 (comment) for you incl. the brackets. Same with golang's TLS version formats #197 (comment), if that makes sense you can click-to-commit directly from the suggestion diff.

(Netlify is currently not linked to this repo but I'm slowly working on it. The preview is from my QA pull testing…)

(The dockerfile PR needs also some love so that's not priority right now; since recently the stack has been updated to hopefully enable higher node versions to plug into automation, so when I have some time I'll check node 20 or LTS compatibility, that's higher priority to work on local machines with newer engines than 12 or 14…)

[gstrauss]

@atombrella the PR needs to be reformatted for .js, not .hbs, and I can help with that if you are still interested in this.