SSL Medium Strength Cipher Suites Supported for operator

lance5890 · lance5890 · commit 9fb1d1de6edc · 2025-08-29T09:22:10.000+08:00
diff --git a/bindata/assets/kube-apiserver/pod.yaml b/bindata/assets/kube-apiserver/pod.yaml
@@ -239,6 +239,8 @@ spec:
     args:
       - --kubeconfig
       - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig
+      - --config
+      - /etc/kubernetes/static-pod-certs/configmaps/kube-apiserver-operator-config/config.yaml
       - --listen
       - 0.0.0.0:17697
       - --namespace
diff --git a/manifests/0000_20_kube-apiserver-operator_03_configmap.yaml b/manifests/0000_20_kube-apiserver-operator_03_configmap.yaml
@@ -11,3 +11,12 @@ data:
   config.yaml: |
     apiVersion: operator.openshift.io/v1
     kind: GenericOperatorConfig
+    servingInfo:
+      cipherSuites:
+      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+      minTLSVersion: VersionTLS12
diff --git a/pkg/operator/resourcesynccontroller/resourcesynccontroller.go b/pkg/operator/resourcesynccontroller/resourcesynccontroller.go
@@ -95,5 +95,13 @@ func NewResourceSyncController(
 		return nil, err
 	}
 
+	// this config contains the cipherSuites and minTLSVersion which is used by check-endpoints
+	if err := resourceSyncController.SyncConfigMap(
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-apiserver-operator-config"},
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "kube-apiserver-operator-config"},
+	); err != nil {
+		return nil, err
+	}
+
 	return resourceSyncController, nil
 }
diff --git a/pkg/operator/starter.go b/pkg/operator/starter.go
@@ -660,6 +660,9 @@ var CertConfigMaps = []installer.UnrevisionedResource{
 
 	// kubeconfig for check-endpoints
 	{Name: "check-endpoints-kubeconfig"},
+
+	// kube-apiserver-operator-config(contains safe cipherSuites and minTLSVersion) for check-endpoints
+	{Name: "kube-apiserver-operator-config"},
 }
 
 var CertSecrets = []installer.UnrevisionedResource{

Original file line number	Diff line number	Diff line change
`@@ -95,5 +95,13 @@ func NewResourceSyncController(`
`95`	`95`	`return nil, err`
`96`	`96`	`}`
`97`	`97`
	`98`	`+ // this config contains the cipherSuites and minTLSVersion which is used by check-endpoints`
	`99`	`+ if err := resourceSyncController.SyncConfigMap(`
	`100`	`+ resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "kube-apiserver-operator-config"},`
	`101`	`+ resourcesynccontroller.ResourceLocation{Namespace: operatorclient.OperatorNamespace, Name: "kube-apiserver-operator-config"},`
	`102`	`+ ); err != nil {`
	`103`	`+ return nil, err`
	`104`	`+ }`
	`105`	`+`
`98`	`106`	`return resourceSyncController, nil`
`99`	`107`	`}`
Original file line number	Diff line number	Diff line change
`@@ -660,6 +660,9 @@ var CertConfigMaps = []installer.UnrevisionedResource{`
`660`	`660`
`661`	`661`	`// kubeconfig for check-endpoints`
`662`	`662`	`{Name: "check-endpoints-kubeconfig"},`
	`663`	`+`
	`664`	`+ // kube-apiserver-operator-config(contains safe cipherSuites and minTLSVersion) for check-endpoints`
	`665`	`+ {Name: "kube-apiserver-operator-config"},`
`663`	`666`	`}`
`664`	`667`
`665`	`668`	`var CertSecrets = []installer.UnrevisionedResource{`