-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add note about TLS 1.3 cipher suites #115399
Add note about TLS 1.3 cipher suites #115399
Conversation
|
Welcome @3u13r! |
Hi @3u13r. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
/remove-sig api-machinery |
/assign @kubernetes/api-reviewers |
/ok-to-test |
@3u13r This seems to be a user-visible change. Please, update release notes, thanks. |
@3u13r please fix CI test failures, thanks. |
/assign |
@3u13r can you provide more details in the description. It's not clear to me why we need to ignore TLS 1.3 configuration. |
I'm sorry that I've missed the release note. I've also added more information in the PR description. In short: Kubernetes correctly passes all TLS configuration to Go's tls library. But the library ignores the cipher suite selection for TLS 1.3. |
/lgtm |
LGTM label has been added. Git tree hash: 3c6bafa197f65ceb105084c910fead6ab02c6893
|
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 3u13r, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Document that a user configuration is ignored for TLS 1.3.
This aligns the documentation with Go's tls package.
The goal is to avoid misconfigurations, where the user thinks they are restricting/selecting TLS 1.3 ciphers.
While changing the TLS 1.3 ciphers is a non-goal in itself, I think the diverging behavior should be documented.
EDIT:
To clarify, Kubernetes passes the minimum TLS version and configured cipher suites into Go's
tls.Config
struct.There it is stated that any cipher suite configuration regarding TLS 1.3 is ignored.
Therefore, Kubernetes also ignores any attempt to configure TLS 1.3 cipher suites.
This PR documents TLS 1.3 as an exception for
TLSCipherSuites
documented behavior.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: