Add note about TLS 1.3 cipher suites #115399
Conversation
|
|
|
Welcome @3u13r! |
|
Hi @3u13r. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
|
/remove-sig api-machinery |
|
/assign @kubernetes/api-reviewers |
|
/ok-to-test |
|
@3u13r This seems to be a user-visible change. Please, update release notes, thanks. |
|
@3u13r please fix CI test failures, thanks. |
|
/assign |
|
@3u13r can you provide more details in the description. It's not clear to me why we need to ignore TLS 1.3 configuration. |
|
I'm sorry that I've missed the release note. I've also added more information in the PR description. In short: Kubernetes correctly passes all TLS configuration to Go's tls library. But the library ignores the cipher suite selection for TLS 1.3. |
|
/lgtm |
|
LGTM label has been added. Git tree hash: 3c6bafa197f65ceb105084c910fead6ab02c6893
|
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 3u13r, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Document that a user configuration is ignored for TLS 1.3.
This aligns the documentation with Go's tls package.
The goal is to avoid misconfigurations, where the user thinks they are restricting/selecting TLS 1.3 ciphers.
While changing the TLS 1.3 ciphers is a non-goal in itself, I think the diverging behavior should be documented.
EDIT:
To clarify, Kubernetes passes the minimum TLS version and configured cipher suites into Go's
tls.Configstruct.There it is stated that any cipher suite configuration regarding TLS 1.3 is ignored.
Therefore, Kubernetes also ignores any attempt to configure TLS 1.3 cipher suites.
This PR documents TLS 1.3 as an exception for
TLSCipherSuitesdocumented behavior.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: