Securing MicroK8S
These notes apply to version v1.26.6 of MicroK8S.
See:
To list ciphers on port:
sudo snap install nmap
nmap --script ssl-enum-ciphers -p 16443 192.168.1.97
Ports
| Port | Usage | Notes |
|---|---|---|
| 16443 | api server | |
| 10259 | kube-scheduler | |
| 10257 | kube-controller | |
| 10250 | kubelet | |
| 25000 | cluster-agent | Can’t control ciphers |
Update Configuration
Edit:
/var/snap/microk8s/current/args/kube-apiserver/var/snap/microk8s/current/args/kube-scheduler/var/snap/microk8s/current/args/kube-controller-manager/var/snap/microk8s/current/args/kubelet
Add:
--tls-min-version=VersionTLS12
--tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
You cannot directly edit cipher suites for cluster-agent. So either turn it off (microk8s disable ha-cluster) or ..
Edit /var/snap/microk8s/current/args/cluster-agent and add:
--min-tls-version=tls13
Restart Microk8s
Run:
sudo snap restart microk8s
You can then check the port usage, using nmap as described above.