Remove old TLS v1.2 ciphers from ingress controller rule

The following ciphers were listed in the "old" profile, which should only be used as a last resort for server TLS configuration: - AES128-GCM-SHA256 - AES256-GCM-SHA384 This commit removes them from the ingress controller rule so that it fails if a cluster is using these ciphers.
ComplianceAsCode · Jul 24, 2024 · 5ac8611 · 5ac8611
1 parent 646c380
commit 5ac8611
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/...ications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml b/...ications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/rule.yml
@@ -37,5 +37,5 @@ template:
     filepath: '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default'
     yamlpath: ".status.tlsProfile.ciphers[:]"
     values:
-    - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|AES256-GCM-SHA384|AES128-GCM-SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-GCM-SHA384)$'
+    - value: '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|TLS_AES_128_GCM_SHA256|TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|DHE-RSA-AES128-GCM-SHA256|DHE-RSA-AES256-GCM-SHA384)$'
       operation: 'pattern match'