Merge pull request #135 from clobrano/sdl/set-tls-minversion/0

Explicitly set MinVersion of TLS
medik8s · Aug 1, 2023 · 044ff33 · 044ff33
2 parents 1fc3f14 + 968cd10
commit 044ff33
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/pkg/certificates/credentials.go b/pkg/certificates/credentials.go
@@ -8,6 +8,8 @@ import (
 	"google.golang.org/grpc/credentials"
 )
 
+const TLSMinVersion = tls.VersionTLS13
+
 func GetServerCredentialsFromCerts(certReader CertStorageReader) (credentials.TransportCredentials, error) {
 
 	keyPair, pool, err := prepareCredentials(certReader)
@@ -19,6 +21,7 @@ func GetServerCredentialsFromCerts(certReader CertStorageReader) (credentials.Tr
 		Certificates: []tls.Certificate{*keyPair},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 		ClientCAs:    pool,
+		MinVersion:   TLSMinVersion,
 	}), nil
 }
 
@@ -33,6 +36,7 @@ func GetClientCredentialsFromCerts(certReader CertStorageReader) (credentials.Tr
 		Certificates: []tls.Certificate{*keyPair},
 		RootCAs:      pool,
 		ServerName:   fixedCertIP.String(),
+		MinVersion:   TLSMinVersion,
 	}), nil
 }
 

diff --git a/pkg/controlplane/manager.go b/pkg/controlplane/manager.go
@@ -17,6 +17,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	"github.com/medik8s/self-node-remediation/pkg/certificates"
 	"github.com/medik8s/self-node-remediation/pkg/peers"
 )
 
@@ -150,7 +151,10 @@ func (manager *Manager) isEndpointAccessible() bool {
 func (manager *Manager) isKubeletServiceRunning() bool {
 	url := fmt.Sprintf("https://%s:%s/pods", manager.nodeName, kubeletPort)
 	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true,
+			MinVersion:         certificates.TLSMinVersion,
+		},
 	}
 	httpClient := &http.Client{Transport: tr}