Support for setting tls-min-version and tls-cipher-suites in kubelet_config

[hobti01]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

kubelet_config in azurerm_kubernetes_cluster.default_node_pool and azurerm_kubernetes_cluster_node_pool does not allow setting kubelet arguments tls-min-version or tls-cipher-suites. This prevents the configuration of the kubelet to for secure TLS versions, i.e. TLS 1.2 or higher.

These arguments and allowed values are described here https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster, azurerm_kubernetes_cluster_node_pool

Potential Terraform Configuration

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_kubernetes_cluster" "example" {
  name                = "example-aks1"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "exampleaks1"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"

    kubelet_config {
      tls_min_version = "VersionTLS12"
      tls_cipher_suites = [
        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
      ]
    }
  }
}

resource "azurerm_kubernetes_cluster_node_pool" "example" {
  name                  = "internal"
  kubernetes_cluster_id = azurerm_kubernetes_cluster.example.id
  vm_size               = "Standard_DS2_v2"
  node_count            = 1

  kubelet_config {
    tls_min_version = "VersionTLS12"
    tls_cipher_suites = [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
    ]
  }
}

References

#11119 provided a limited set of kubelet arguments, but not these TLS related arguments.

[aristosvo]

@hobti01 Thanks for opening this issue.

Can you point me to the docs describing the functionality being available for AKS? Based on this docs it seems this is not supported (yet).

[hobti01]

Ah you are certainly right, it does not look to be supported yet. I have opened Azure/AKS#3334 to request this.

[thiagoescobar]

Any updates on this issue or roadmap for this to be implemented?

[rcskosir]

Thanks for taking the time to open this issue. It looks like the behavior you requested is not supported by the underlying Azure API so I am going to label this issue as such and close it for now. The upstream request can be tracked here: Azure/AKS#3334
When it gets added, we can reopen this request or you can create a new one.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.