Skip to content

Commit 2c5c20c

Browse files
dgrisonnetdgrisonnet
authored
Merge pull request #1216 from fpetkovski/prometheus-adapter-cipher-suites
jsonnet: disable insecure cypher suites for prometheus-adapter
2 parents 7932456 + 0ff173e commit 2c5c20c

File tree

2 files changed

+19
-0
lines changed

2 files changed

+19
-0
lines changed

jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,23 @@ local defaults = {
5353
window: '5m',
5454
},
5555
},
56+
tlsCipherSuites: [
57+
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
58+
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
59+
'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
60+
'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
61+
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
62+
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
63+
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
64+
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
65+
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
66+
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
67+
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
68+
'TLS_RSA_WITH_AES_128_GCM_SHA256',
69+
'TLS_RSA_WITH_AES_256_GCM_SHA384',
70+
'TLS_RSA_WITH_AES_128_CBC_SHA',
71+
'TLS_RSA_WITH_AES_256_CBC_SHA',
72+
],
5673
};
5774

5875
function(params) {
@@ -145,6 +162,7 @@ function(params) {
145162
'--metrics-relist-interval=1m',
146163
'--prometheus-url=' + pa._config.prometheusURL,
147164
'--secure-port=6443',
165+
'--tls-cipher-suites=' + std.join(',', pa._config.tlsCipherSuites),
148166
],
149167
ports: [{ containerPort: 6443 }],
150168
volumeMounts: [

manifests/prometheus-adapter-deployment.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ spec:
3535
- --metrics-relist-interval=1m
3636
- --prometheus-url=http://prometheus-k8s.monitoring.svc.cluster.local:9090/
3737
- --secure-port=6443
38+
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
3839
image: directxman12/k8s-prometheus-adapter:v0.8.4
3940
name: prometheus-adapter
4041
ports:

0 commit comments

Comments
 (0)