k8s-bigip-ctlr icon indicating copy to clipboard operation
k8s-bigip-ctlr copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

New base config block for TLSCiphers in global extended ConfigMap does not work!

Open joebride opened this issue 3 years ago • 2 comments

Setup Details

CIS Version : 2.10.0
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 15.1.6.1
AS3 Version: 3.34.0
Agent Mode: AS3
Orchestration: K8S/OSCP v4.9.33, Kubernetes v1.22.8+c02bd9d Orchestration Version:
Pool Mode: Cluster
Additional Setup details: NextGen Routes, CNI is Openshift SDN with networkPolicy.

Description

I use CIS for NextGen Routes using multiple VIPs (2x) and would like to let CIS set the cipher-group in clientssl-profile. The tls-version and cipher-group argument in CIS does not work! Using the new base config block for TLSCiphers in global extended ConfigMap does not work, too!

Steps To Reproduce

  1. Change CIS-mode to NextGen Routes.
  2. Configure global-CM with section baseRouteSpec
  3. Verify configuration on BIG-IP

Expected Result

ltm profile client-ssl DUMMY_tls_server-5- { [...] cipher-group /Common/CIPHER_GROUP_TLSV12_TLSV13_ECDHE_ECDSA_AESGCM ciphers none

Actual Result

ltm profile client-ssl DUMMY_tls_server-5- { [...] cipher-group none ciphers DEFAULT

Diagnostic Information

<Configuration files, error messages, logs>
Note: Sanitize the data. For example, be mindful of IPs, ports, application names and URLs
Note: The following F5 article outlines the information required when opening an issue.
https://support.f5.com/csp/article/K60974137

[CIS-cc-04_log.txt](https://github.com/F5Networks/k8s-bigip-ctlr/files/9568142/CIS-cc-04_log.txt)
[configmap-global-cm.txt](https://github.com/F5Networks/k8s-bigip-ctlr/files/9568156/configmap-global-cm.txt)
[deployment-otc-mgb-cc-04.txt](https://github.com/F5Networks/k8s-bigip-ctlr/files/9568161/deployment-otc-mgb-cc-04.txt)
[route-httpd-example.txt](https://github.com/F5Networks/k8s-bigip-ctlr/files/9568162/route-httpd-example.txt)

Observations (if any)

joebride avatar Sep 14 '22 16:09 joebride

Created [CONTCNTR-3602] for internal tracking.

trinaths avatar Sep 18 '22 08:09 trinaths

@joebride - Unable to reproduce this issue. Please share the configMap and Route spec to retry

trinaths avatar Sep 21 '22 06:09 trinaths

Hi @joebride With tlsVersion 1.2 , CIS will by default consider ciphers and Ignores cipherGroup. With tlsVersion 1.3 , CIS will consider cipherGroup and ignores ciphers.If the issue is with CIS not setting cipherGroup, Can you please try by setting tlsversion 1.3.

tlsCipher: tlsVersion: 1.3 ciphers: DEFAULT cipherGroup: /Common/f5-default

If output is still not in the expected lines, request you to share the configMap and Route spec to retry

charanm08 avatar Oct 03 '22 12:10 charanm08

Hi @charanm08 I tried your suggested modification of global-CM, but it still not works. I tried with "ciphers: DEFAULT" and "ciphers: none", but without success.

list ltm profile client-ssl ciphers cipher-group

ltm profile client-ssl VS01_TLS_EDGE_443_tls_server { cipher-group none ciphers DEFAULT } ltm profile client-ssl VS01_TLS_EDGE_443_tls_server-1- { cipher-group none ciphers DEFAULT } ltm profile client-ssl VS01_TLS_EDGE_443_tls_server-2- { cipher-group none ciphers DEFAULT } ltm profile client-ssl VS01_TLS_EDGE_443_tls_server-3- { cipher-group none ciphers DEFAULT } ltm profile client-ssl VS01_TLS_EDGE_443_tls_server-4- { cipher-group none ciphers DEFAULT } ltm profile client-ssl VS02_TLS_REENCRYPT_443_tls_server { cipher-group none ciphers DEFAULT }

Uploading route-httpd-example.txt… configmap-global-cm_TLSv1.3.txt

joebride avatar Oct 05 '22 18:10 joebride

@charanm08: Hope that route-spec (route-httpd-example.txt) is now uploaded correctly. route-httpd-example.txt

joebride avatar Oct 17 '22 17:10 joebride

Hi @joebride It looks like baseRouteSpec is misconfigured. It should be part of extendedSpec. But in the example file shared [configmap-global-cm_TLSv1.3.txt] its not configured as part of extendedSpec

Shared Config

  baseRouteSpec: |
    tlsCipher:
      tlsVersion: 1.3
      ciphers: none
      cipherGroup: /Common/f5-default 
  extendedSpec: |
    extendedRouteSpec:
    - namespace: f5test
      vserverAddr: 10.91.40.98
      vserverName: 'VS01-TLS-EDGE'
      waf: '/Common/RD_000_WAF_BASIC_GENERIC'
      allowOverride: false
    - namespace: juice
      vserverAddr: 10.91.40.146
      vserverName: 'VS02-TLS-REENCRYPT'
      waf: '/Common/RD_000_WAF_BASIC_GENERIC_LOG4J2'
      allowSourceRange:
       - 84.167.245.166/32
       - 198.19.0.0/16
      allowOverride: false

Expected Config

kind: ConfigMap
apiVersion: v1
metadata:
  name: global-spec-config
  namespace: kube-system
  labels:
    f5nr: 'true'
data:
 extendedSpec: |
    baseRouteSpec:
     tlsCipher:
      tlsVersion: 1.3
      ciphers: none
      cipherGroup: /Common/f5-default
    extendedRouteSpec:
    - namespace: foo
      vserverAddr: 10.91.40.98
      vserverName: 'VS01-TLS-EDGE'
      allowOverride: false
    - namespace: bar
      vserverAddr: 10.91.40.146
      vserverName: 'VS02-TLS-REENCRYPT'
      allowOverride: false

For reference please refer to below example.

baseRouteSpec tlsCipher Example

charanm08 avatar Nov 14 '22 19:11 charanm08

@joebride Any update on this issue ?

trinaths avatar Nov 16 '22 05:11 trinaths

Hi @charanm08, @trinaths ! I tested it successfully with your provided ConfigMap. Many Thanks!

joebride avatar Nov 21 '22 19:11 joebride