The tls-scanner scans ports and compare local TLS configuration with central TLS configurations. However if the central TLS configuration is not set or different in each run, the scanning results can be different and hard to compare and interpret.
For example for API Server configuration, the deploy.sh script can apply a modern type profile, run the scanner, then apply a custom profile, runner scanner again, then restore original apiServer. These can also be passed by an option like ./deploy.sh --profile modern,custom
Modern type profile:
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
spec:
tlsSecurityProfile:
type: modern
Custom type profile from OCP doc:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/security_and_compliance/tls-security-profiles#tls-profiles-kubernetes-configuring_tls-security-profiles
apiVersion: config.openshift.io/v1
kind: APIServer
metadata:
name: cluster
spec:
tlsSecurityProfile:
type: Custom
custom:
ciphers:
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
minTLSVersion: VersionTLS11
The tls-scanner scans ports and compare local TLS configuration with central TLS configurations. However if the central TLS configuration is not set or different in each run, the scanning results can be different and hard to compare and interpret.
For example for API Server configuration, the deploy.sh script can apply a modern type profile, run the scanner, then apply a custom profile, runner scanner again, then restore original apiServer. These can also be passed by an option like
./deploy.sh --profile modern,customModern type profile:
Custom type profile from OCP doc:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/security_and_compliance/tls-security-profiles#tls-profiles-kubernetes-configuring_tls-security-profiles