Skip to content

Run tls-scanner against pre-defined central TLS configurations #30

Description

@jzding

The tls-scanner scans ports and compare local TLS configuration with central TLS configurations. However if the central TLS configuration is not set or different in each run, the scanning results can be different and hard to compare and interpret.

For example for API Server configuration, the deploy.sh script can apply a modern type profile, run the scanner, then apply a custom profile, runner scanner again, then restore original apiServer. These can also be passed by an option like ./deploy.sh --profile modern,custom

Modern type profile:

apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  name: cluster
spec:
  tlsSecurityProfile:
    type: modern 

Custom type profile from OCP doc:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/security_and_compliance/tls-security-profiles#tls-profiles-kubernetes-configuring_tls-security-profiles

apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
  name: cluster
spec:
  tlsSecurityProfile:
    type: Custom 
    custom: 
      ciphers: 
      - ECDHE-ECDSA-CHACHA20-POLY1305
      - ECDHE-RSA-CHACHA20-POLY1305
      - ECDHE-RSA-AES128-GCM-SHA256
      - ECDHE-ECDSA-AES128-GCM-SHA256
      minTLSVersion: VersionTLS11

Metadata

Metadata

Assignees

No one assigned

    Labels

    lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions