More safe CipherSuites Supported for kube-apiserver-check-endpoints

Signed-off-by: lan.tian <[email protected]>

Author: lance5890

bindata/assets/kube-apiserver/check-endpoints-config-cm.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: openshift-kube-apiserver
+  name: kube-apiserver-check-endpoints-config
+data:
+  config.yaml: |
+    apiVersion: operator.openshift.io/v1
+    kind: GenericOperatorConfig
+    servingInfo:
+      cipherSuites:
+      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+      minTLSVersion: VersionTLS12

bindata/assets/kube-apiserver/pod.yaml

@@ -239,6 +239,8 @@ spec:
     args:
       - --kubeconfig
       - /etc/kubernetes/static-pod-certs/configmaps/check-endpoints-kubeconfig/kubeconfig
+      - --config
+      - /etc/kubernetes/static-pod-resources/configmaps/kube-apiserver-check-endpoints-config/config.yaml
       - --listen
       - 0.0.0.0:17697
       - --namespace

pkg/operator/starter.go

@@ -632,6 +632,8 @@ var RevisionConfigMaps = []revision.RevisionResource{
 
 	// optional configmap containing the OIDC structured auth config
 	{Name: auth.AuthConfigCMName, Optional: true},
+	// kube-apiserver-check-endpoints-config: TLS cipherSuites/minTLSVersion for check-endpoints.
+	{Name: "kube-apiserver-check-endpoints-config"},
 }
 
 // RevisionSecrets is a list of secrets that are directly copied for the current values.  A different actor/controller modifies these.

pkg/operator/targetconfigcontroller/targetconfigcontroller.go

@@ -219,6 +219,10 @@ func createTargetConfig(ctx context.Context, c TargetConfigController, recorder
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/config", err))
 	}
+	_, _, err = manageKubeAPICheckEndpointsConfig(ctx, c.kubeClient.CoreV1(), recorder)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-apiserver-check-endpoints-config", err))
+	}
 	_, _, err = managePods(ctx, c.kubeClient.CoreV1(), c.isStartupMonitorEnabledFn, recorder, operatorSpec, c.targetImagePullSpec, c.operatorImagePullSpec, c.operatorImageVersion)
 	if err != nil {
 		errors = append(errors, fmt.Errorf("%q: %v", "configmap/kube-apiserver-pod", err))
@@ -303,6 +307,12 @@ func manageKubeAPIServerConfig(ctx context.Context, client coreclientv1.ConfigMa
 	return resourceapply.ApplyConfigMap(ctx, client, recorder, requiredConfigMap)
 }
 
+func manageKubeAPICheckEndpointsConfig(ctx context.Context, client coreclientv1.ConfigMapsGetter, recorder events.Recorder) (*corev1.ConfigMap, bool, error) {
+	configMap := resourceread.ReadConfigMapV1OrDie(bindata.MustAsset("assets/kube-apiserver/check-endpoints-config-cm.yaml"))
+	configMap.Namespace = operatorclient.TargetNamespace
+	return resourceapply.ApplyConfigMap(ctx, client, recorder, configMap)
+}
+
 func managePods(ctx context.Context, client coreclientv1.ConfigMapsGetter, isStartupMonitorEnabledFn func() (bool, error), recorder events.Recorder, operatorSpec *operatorv1.StaticPodOperatorSpec, imagePullSpec, operatorImagePullSpec, operatorImageVersion string) (*corev1.ConfigMap, bool, error) {
 	appliedPodTemplate, err := manageTemplate(string(bindata.MustAsset("assets/kube-apiserver/pod.yaml")), imagePullSpec, operatorImagePullSpec, operatorImageVersion, operatorSpec)
 	if err != nil {