application-gateway-kubernetes-ingress icon indicating copy to clipboard operation
application-gateway-kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon Azure

Unsecure Default TLS Policy because of the AGIC controller using old network API version (< 2023-02-01) and deprecated Azure SDK

Open zioproto opened this issue 1 year ago • 4 comments
trafficstars

Looking at this line of code: https://github.com/Azure/application-gateway-kubernetes-ingress/blob/8bc1e63c3714667bb59f8533fd39b8970e77bd2b/pkg/azure/client.go#L15

I understand the AGIC controller is using a deprecated Azure SDKs and should upgraded following this guide: https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/MIGRATION_GUIDE.md

There is an impact on security. Because the deprecated Azure SDK consumes an ARM API version lower than 2023-02-01 in the Default TLS policy the minimum protocol version is set to TLS 1.0

This was originally reported by a customer here: https://github.com/Azure/terraform-azurerm-aks/issues/532

How this is actionable ? Please patch the code to use API versions 2023-02-01 or higher, then the minimum TLS protocol version is set to 1.2

Documentation reference: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview#default-tls-policy

Cc: @chixcancode @JackStromberg

zioproto avatar Jun 14 '24 13:06 zioproto

In addition to the default here, the workaround of applying the annotation explicitly on the Ingress resource doesn't result in the SSL policy being applied by AGIC:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress-all
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
    appgw.ingress.kubernetes.io/ssl-policy: "AppGwSslPolicy20220101"

despite the annotation being visible in the portal: image

ralph-tice avatar Jun 21 '24 17:06 ralph-tice

@palma21 @JackStromberg could you please check if this GitHub issue is actionable to the AKS product team ?

My concern is that Application Gateways created by AGIC have a Default TLS policy with the minimum protocol version set to TLS 1.0

thank you

zioproto avatar Oct 03 '24 19:10 zioproto

Acknowledging this ask, but don't have an ETA on when the behavior will change in AGIC.

If using Application Gateway for Containers, we enforce TLS 1.2 or greater making it a non-issue in that solution.

JackStromberg avatar Oct 04 '24 22:10 JackStromberg

@JackStromberg With the deprecation of TLS 1.0 and 1.1 in Azure Application Gateway this issue needs to be fixed within the the next 4 months, otherwise customers are going to be left in an unsupported state.

tongpu avatar Apr 17 '25 07:04 tongpu

@JackStromberg @sean-jeffrey do we have any ETA on this?

syed-farazahmed avatar Jul 19 '25 08:07 syed-farazahmed

According to this, it seems like the application gateway resource will define the default policy as AppGwSslPolicy20220101 regardless of the API, assuming the API doesn't specify any explicit policy

It means we are good, doesn't it?

With the deprecation of TLS 1.0 and 1.1, the older AppGwSslPolicy20150501 policy, will be discontinued. So, AppGwSslPolicy20220101 will become the default policy for all V2 gateways.

assaf-grth avatar Aug 06 '25 07:08 assaf-grth