9.2. 查看 TLS 安全配置集详情

您可以查看以下组件的预定义 TLS 安全配置集的最小 TLS 版本和密码:Ingress Controller、control plane 和 kubelet。

重要

最低 TLS 版本和配置集密码列表的有效配置可能因组件而异。

流程

  • 查看特定 TLS 安全配置集的详情: 

    $ oc explain <component>.spec.tlsSecurityProfile.<profile> 1
    1
    对于 <component>,指定 ingresscontrollerapiserverkubeletconfig。对于 <profile>,指定 oldintermediatecustom

    例如,检查 control plane 的 intermediate 配置集中包含的密码: 

    $ oc explain apiserver.spec.tlsSecurityProfile.intermediate

    输出示例

    KIND:     APIServer
VERSION:  config.openshift.io/v1

DESCRIPTION:
    intermediate is a TLS security profile based on:
    https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
    and looks like this (yaml):
    ciphers: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 -
    TLS_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 -
    ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 -
    ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-CHACHA20-POLY1305 -
    ECDHE-RSA-CHACHA20-POLY1305 - DHE-RSA-AES128-GCM-SHA256 -
    DHE-RSA-AES256-GCM-SHA384 minTLSVersion: TLSv1.2

  • 查看组件的 tlsSecurityProfile 字段的所有详情: 

    $ oc explain <component>.spec.tlsSecurityProfile 1
    1
    对于 <component>,指定 ingresscontrollerapiserverkubeletconfig

    例如,检查 Ingress Controller 的 tlsSecurityProfile 字段的所有详情: 

    $ oc explain ingresscontroller.spec.tlsSecurityProfile

    输出示例

    KIND:     IngressController
VERSION:  operator.openshift.io/v1

RESOURCE: tlsSecurityProfile <Object>

DESCRIPTION:
     ...

FIELDS:
   custom	<>
     custom is a user-defined TLS security profile. Be extremely careful using a
     custom profile as invalid configurations can be catastrophic. An example
     custom profile looks like this:
     ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305 -
     ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion:
     TLSv1.1

   intermediate	<>
     intermediate is a TLS security profile based on:
     https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
     and looks like this (yaml):
     ... 1

   modern	<>
     modern is a TLS security profile based on:
     https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility and
     looks like this (yaml):
     ... 2
     NOTE: Currently unsupported.

   old	<>
     old is a TLS security profile based on:
     https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
     and looks like this (yaml):
     ... 3

   type	<string>
     ...

    1
    列出 intermediate 配置集的密码和最小版本。
    2
    这里列出了 modern 配置集的密码和最小版本。
    3
    这里列出了 old 配置集的密码和最小版本。