diff --git a/jsonnet/kube-prometheus/kube-prometheus.libsonnet b/jsonnet/kube-prometheus/kube-prometheus.libsonnet
index 4ff183714adb3425ba0aebc79802f5571d3aafb1..7dae5f38bd0587b5472f6aef8a4ec9e85aeaedf2 100644
--- a/jsonnet/kube-prometheus/kube-prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/kube-prometheus.libsonnet
@@ -42,6 +42,31 @@ local configMapList = k.core.v1.configMapList;
_config+:: {
namespace: 'default',
+ tlsCipherSuites: [
+ // 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
+ 'TLS_RSA_WITH_AES_128_CBC_SHA',
+ 'TLS_RSA_WITH_AES_256_CBC_SHA',
+ 'TLS_RSA_WITH_AES_128_CBC_SHA256',
+ 'TLS_RSA_WITH_AES_128_GCM_SHA256',
+ 'TLS_RSA_WITH_AES_256_GCM_SHA384',
+ // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
+ 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
+ // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
+ 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
+ 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
+ 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
+ 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
+ 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
+ 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
+ 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
+ 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
+ ],
+
cadvisorSelector: 'job="kubelet"',
kubeletSelector: 'job="kubelet"',
kubeStateMetricsSelector: 'job="kube-state-metrics"',
diff --git a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
index 21600af1409834d4d1f75e531330178419a82eb1..4a9ee58f8b95e0600ed5e71c36f4870293b80931 100644
--- a/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/kube-state-metrics/kube-state-metrics.libsonnet
@@ -4,6 +4,31 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
_config+:: {
namespace: 'default',
+ tlsCipherSuites: [
+ // 'TLS_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ // 'TLS_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
+ 'TLS_RSA_WITH_AES_128_CBC_SHA',
+ 'TLS_RSA_WITH_AES_256_CBC_SHA',
+ 'TLS_RSA_WITH_AES_128_CBC_SHA256',
+ 'TLS_RSA_WITH_AES_128_GCM_SHA256',
+ 'TLS_RSA_WITH_AES_256_GCM_SHA384',
+ // 'TLS_ECDHE_ECDSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
+ 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
+ // 'TLS_ECDHE_RSA_WITH_RC4_128_SHA', // insecure: https://access.redhat.com/security/cve/cve-2013-2566
+ // 'TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA', // insecure: https://access.redhat.com/articles/2548661
+ 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
+ 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
+ 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
+ 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
+ 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
+ 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
+ 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
+ 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
+ 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
+ ],
+
kubeStateMetrics+:: {
collectors: '', // empty string gets a default set
scrapeInterval: '30s',
@@ -110,11 +135,11 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
rulesType.withVerbs(['create']);
local policyRule = rulesType.new() +
- rulesType.withApiGroups(['policy']) +
- rulesType.withResources([
- 'poddisruptionbudgets',
- ]) +
- rulesType.withVerbs(['list', 'watch']);
+ rulesType.withApiGroups(['policy']) +
+ rulesType.withResources([
+ 'poddisruptionbudgets',
+ ]) +
+ rulesType.withVerbs(['list', 'watch']);
local rules = [coreRule, extensionsRule, appsRule, batchRule, autoscalingRule, authenticationRole, authorizationRole, policyRule];
@@ -135,6 +160,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.new('kube-rbac-proxy-main', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([
'--secure-listen-address=:8443',
+ '--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
'--upstream=http://127.0.0.1:8081/',
]) +
container.withPorts(containerPort.newNamed('https-main', 8443)) +
@@ -145,6 +171,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.new('kube-rbac-proxy-self', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([
'--secure-listen-address=:9443',
+ '--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
'--upstream=http://127.0.0.1:8082/',
]) +
container.withPorts(containerPort.newNamed('https-self', 9443)) +
diff --git a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
index ee0c3e996e930b67f4b8ce04fdc075ae65ed6fe0..7030d2f9073c1d2ec425b005cd1f817c9df52b64 100644
--- a/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/node-exporter/node-exporter.libsonnet
@@ -107,6 +107,7 @@ local k = import 'ksonnet/ksonnet.beta.3/k.libsonnet';
container.new('kube-rbac-proxy', $._config.imageRepos.kubeRbacProxy + ':' + $._config.versions.kubeRbacProxy) +
container.withArgs([
'--secure-listen-address=$(IP):' + $._config.nodeExporter.port,
+ '--tls-cipher-suites=' + std.join(',', $._config.tlsCipherSuites),
'--upstream=http://127.0.0.1:' + $._config.nodeExporter.port + '/',
]) +
// Keep `hostPort` here, rather than in the node-exporter container