1 package v1 2 3 // TLSSecurityProfile defines the schema for a TLS security profile. This object 4 // is used by operators to apply TLS security settings to operands. 5 // +union 6 type TLSSecurityProfile struct { 7 // type is one of Old, Intermediate, Modern or Custom. Custom provides 8 // the ability to specify individual TLS security profile parameters. 9 // Old, Intermediate and Modern are TLS security profiles based on: 10 // 11 // https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations 12 // 13 // The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers 14 // are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be 15 // reduced. 16 // 17 // Note that the Modern profile is currently not supported because it is not 18 // yet well adopted by common software libraries. 19 // 20 // +unionDiscriminator 21 // +optional 22 Type TLSProfileType `json:"type"` 23 // old is a TLS security profile based on: 24 // 25 // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility 26 // 27 // and looks like this (yaml): 28 // 29 // ciphers: 30 // - TLS_AES_128_GCM_SHA256 31 // - TLS_AES_256_GCM_SHA384 32 // - TLS_CHACHA20_POLY1305_SHA256 33 // - ECDHE-ECDSA-AES128-GCM-SHA256 34 // - ECDHE-RSA-AES128-GCM-SHA256 35 // - ECDHE-ECDSA-AES256-GCM-SHA384 36 // - ECDHE-RSA-AES256-GCM-SHA384 37 // - ECDHE-ECDSA-CHACHA20-POLY1305 38 // - ECDHE-RSA-CHACHA20-POLY1305 39 // - DHE-RSA-AES128-GCM-SHA256 40 // - DHE-RSA-AES256-GCM-SHA384 41 // - DHE-RSA-CHACHA20-POLY1305 42 // - ECDHE-ECDSA-AES128-SHA256 43 // - ECDHE-RSA-AES128-SHA256 44 // - ECDHE-ECDSA-AES128-SHA 45 // - ECDHE-RSA-AES128-SHA 46 // - ECDHE-ECDSA-AES256-SHA384 47 // - ECDHE-RSA-AES256-SHA384 48 // - ECDHE-ECDSA-AES256-SHA 49 // - ECDHE-RSA-AES256-SHA 50 // - DHE-RSA-AES128-SHA256 51 // - DHE-RSA-AES256-SHA256 52 // - AES128-GCM-SHA256 53 // - AES256-GCM-SHA384 54 // - AES128-SHA256 55 // - AES256-SHA256 56 // - AES128-SHA 57 // - AES256-SHA 58 // - DES-CBC3-SHA 59 // minTLSVersion: TLSv1.0 60 // 61 // +optional 62 // +nullable 63 Old *OldTLSProfile `json:"old,omitempty"` 64 // intermediate is a TLS security profile based on: 65 // 66 // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 67 // 68 // and looks like this (yaml): 69 // 70 // ciphers: 71 // - TLS_AES_128_GCM_SHA256 72 // - TLS_AES_256_GCM_SHA384 73 // - TLS_CHACHA20_POLY1305_SHA256 74 // - ECDHE-ECDSA-AES128-GCM-SHA256 75 // - ECDHE-RSA-AES128-GCM-SHA256 76 // - ECDHE-ECDSA-AES256-GCM-SHA384 77 // - ECDHE-RSA-AES256-GCM-SHA384 78 // - ECDHE-ECDSA-CHACHA20-POLY1305 79 // - ECDHE-RSA-CHACHA20-POLY1305 80 // - DHE-RSA-AES128-GCM-SHA256 81 // - DHE-RSA-AES256-GCM-SHA384 82 // minTLSVersion: TLSv1.2 83 // 84 // +optional 85 // +nullable 86 Intermediate *IntermediateTLSProfile `json:"intermediate,omitempty"` 87 // modern is a TLS security profile based on: 88 // 89 // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility 90 // 91 // and looks like this (yaml): 92 // 93 // ciphers: 94 // - TLS_AES_128_GCM_SHA256 95 // - TLS_AES_256_GCM_SHA384 96 // - TLS_CHACHA20_POLY1305_SHA256 97 // minTLSVersion: TLSv1.3 98 // 99 // NOTE: Currently unsupported. 100 // 101 // +optional 102 // +nullable 103 Modern *ModernTLSProfile `json:"modern,omitempty"` 104 // custom is a user-defined TLS security profile. Be extremely careful using a custom 105 // profile as invalid configurations can be catastrophic. An example custom profile 106 // looks like this: 107 // 108 // ciphers: 109 // - ECDHE-ECDSA-CHACHA20-POLY1305 110 // - ECDHE-RSA-CHACHA20-POLY1305 111 // - ECDHE-RSA-AES128-GCM-SHA256 112 // - ECDHE-ECDSA-AES128-GCM-SHA256 113 // minTLSVersion: TLSv1.1 114 // 115 // +optional 116 // +nullable 117 Custom *CustomTLSProfile `json:"custom,omitempty"` 118 } 119 120 // OldTLSProfile is a TLS security profile based on: 121 // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility 122 type OldTLSProfile struct{} 123 124 // IntermediateTLSProfile is a TLS security profile based on: 125 // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 126 type IntermediateTLSProfile struct{} 127 128 // ModernTLSProfile is a TLS security profile based on: 129 // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility 130 type ModernTLSProfile struct{} 131 132 // CustomTLSProfile is a user-defined TLS security profile. Be extremely careful 133 // using a custom TLS profile as invalid configurations can be catastrophic. 134 type CustomTLSProfile struct { 135 TLSProfileSpec `json:",inline"` 136 } 137 138 // TLSProfileType defines a TLS security profile type. 139 // +kubebuilder:validation:Enum=Old;Intermediate;Modern;Custom 140 type TLSProfileType string 141 142 const ( 143 // Old is a TLS security profile based on: 144 // https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility 145 TLSProfileOldType TLSProfileType = "Old" 146 // Intermediate is a TLS security profile based on: 147 // https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29 148 TLSProfileIntermediateType TLSProfileType = "Intermediate" 149 // Modern is a TLS security profile based on: 150 // https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility 151 TLSProfileModernType TLSProfileType = "Modern" 152 // Custom is a TLS security profile that allows for user-defined parameters. 153 TLSProfileCustomType TLSProfileType = "Custom" 154 ) 155 156 // TLSProfileSpec is the desired behavior of a TLSSecurityProfile. 157 type TLSProfileSpec struct { 158 // ciphers is used to specify the cipher algorithms that are negotiated 159 // during the TLS handshake. Operators may remove entries their operands 160 // do not support. For example, to use DES-CBC3-SHA (yaml): 161 // 162 // ciphers: 163 // - DES-CBC3-SHA 164 // 165 Ciphers []string `json:"ciphers"` 166 // minTLSVersion is used to specify the minimal version of the TLS protocol 167 // that is negotiated during the TLS handshake. For example, to use TLS 168 // versions 1.1, 1.2 and 1.3 (yaml): 169 // 170 // minTLSVersion: TLSv1.1 171 // 172 // NOTE: currently the highest minTLSVersion allowed is VersionTLS12 173 // 174 MinTLSVersion TLSProtocolVersion `json:"minTLSVersion"` 175 } 176 177 // TLSProtocolVersion is a way to specify the protocol version used for TLS connections. 178 // Protocol versions are based on the following most common TLS configurations: 179 // 180 // https://ssl-config.mozilla.org/ 181 // 182 // Note that SSLv3.0 is not a supported protocol version due to well known 183 // vulnerabilities such as POODLE: https://en.wikipedia.org/wiki/POODLE 184 // +kubebuilder:validation:Enum=VersionTLS10;VersionTLS11;VersionTLS12;VersionTLS13 185 type TLSProtocolVersion string 186 187 const ( 188 // VersionTLSv10 is version 1.0 of the TLS security protocol. 189 VersionTLS10 TLSProtocolVersion = "VersionTLS10" 190 // VersionTLSv11 is version 1.1 of the TLS security protocol. 191 VersionTLS11 TLSProtocolVersion = "VersionTLS11" 192 // VersionTLSv12 is version 1.2 of the TLS security protocol. 193 VersionTLS12 TLSProtocolVersion = "VersionTLS12" 194 // VersionTLSv13 is version 1.3 of the TLS security protocol. 195 VersionTLS13 TLSProtocolVersion = "VersionTLS13" 196 ) 197 198 // TLSProfiles Contains a map of TLSProfileType names to TLSProfileSpec. 199 // 200 // NOTE: The caller needs to make sure to check that these constants are valid for their binary. Not all 201 // entries map to values for all binaries. In the case of ties, the kube-apiserver wins. Do not fail, 202 // just be sure to whitelist only and everything will be ok. 203 var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ 204 TLSProfileOldType: { 205 Ciphers: []string{ 206 "TLS_AES_128_GCM_SHA256", 207 "TLS_AES_256_GCM_SHA384", 208 "TLS_CHACHA20_POLY1305_SHA256", 209 "ECDHE-ECDSA-AES128-GCM-SHA256", 210 "ECDHE-RSA-AES128-GCM-SHA256", 211 "ECDHE-ECDSA-AES256-GCM-SHA384", 212 "ECDHE-RSA-AES256-GCM-SHA384", 213 "ECDHE-ECDSA-CHACHA20-POLY1305", 214 "ECDHE-RSA-CHACHA20-POLY1305", 215 "DHE-RSA-AES128-GCM-SHA256", 216 "DHE-RSA-AES256-GCM-SHA384", 217 "DHE-RSA-CHACHA20-POLY1305", 218 "ECDHE-ECDSA-AES128-SHA256", 219 "ECDHE-RSA-AES128-SHA256", 220 "ECDHE-ECDSA-AES128-SHA", 221 "ECDHE-RSA-AES128-SHA", 222 "ECDHE-ECDSA-AES256-SHA384", 223 "ECDHE-RSA-AES256-SHA384", 224 "ECDHE-ECDSA-AES256-SHA", 225 "ECDHE-RSA-AES256-SHA", 226 "DHE-RSA-AES128-SHA256", 227 "DHE-RSA-AES256-SHA256", 228 "AES128-GCM-SHA256", 229 "AES256-GCM-SHA384", 230 "AES128-SHA256", 231 "AES256-SHA256", 232 "AES128-SHA", 233 "AES256-SHA", 234 "DES-CBC3-SHA", 235 }, 236 MinTLSVersion: VersionTLS10, 237 }, 238 TLSProfileIntermediateType: { 239 Ciphers: []string{ 240 "TLS_AES_128_GCM_SHA256", 241 "TLS_AES_256_GCM_SHA384", 242 "TLS_CHACHA20_POLY1305_SHA256", 243 "ECDHE-ECDSA-AES128-GCM-SHA256", 244 "ECDHE-RSA-AES128-GCM-SHA256", 245 "ECDHE-ECDSA-AES256-GCM-SHA384", 246 "ECDHE-RSA-AES256-GCM-SHA384", 247 "ECDHE-ECDSA-CHACHA20-POLY1305", 248 "ECDHE-RSA-CHACHA20-POLY1305", 249 "DHE-RSA-AES128-GCM-SHA256", 250 "DHE-RSA-AES256-GCM-SHA384", 251 }, 252 MinTLSVersion: VersionTLS12, 253 }, 254 TLSProfileModernType: { 255 Ciphers: []string{ 256 "TLS_AES_128_GCM_SHA256", 257 "TLS_AES_256_GCM_SHA384", 258 "TLS_CHACHA20_POLY1305_SHA256", 259 }, 260 MinTLSVersion: VersionTLS13, 261 }, 262 } 263