Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable to configure cipher suites for the allocator #4027

Open
RedShiba opened this issue Nov 2, 2024 · 2 comments · May be fixed by #4067
Open

Enable to configure cipher suites for the allocator #4027

RedShiba opened this issue Nov 2, 2024 · 2 comments · May be fixed by #4067
Assignees
@0xaravindh
Labels
area/security Issues pertaining to security kind/feature New features for Agones

Comments

@RedShiba
Copy link

RedShiba commented Nov 2, 2024

Is your feature request related to a problem? Please describe.
The allocator server can be configured to use TLS, relies on Go's crypto/tls package for TLS connection. Some of defaults cipher suits in Go's package may include less secure options that hardcoded into the library.(e.g. TLS_RSA_WITH_3DES_EDE_CBC_SHA).

How to reproduce it:
Install Agones with TLS certificates for the allocator(I'm using cert-manager with self-signed certificates). Expose allocator service using port-forwarding(k port-forward svc/agones-allocator 4443:443 -n $NS) or serviceType LoadBalancer. Use the nmap command to check the enabled ciphers:
nmap --script ssl-enum-ciphers -p 443 $ENDPOINT

Environment:
Agones version: 1.42.0
Kubernetes version: client (1.25) and server (1.27)
Install method (yaml/helm): helm

Describe the solution you'd like
A new option to specify a preferred cipher suites could be added to the allocator, along with an option to select TLS version. Similar to how it's done in cert-manager here

Describe alternatives you've considered

Additional context
I believe it's low-priority security issue, as exploiting weak ciphers would still be challenging. However, adding flexibility in TLS configuration would enhance security and future-proof the allocator against vulnerabilities.
@RedShiba RedShiba added the kind/feature New features for Agones label Nov 2, 2024
@0xaravindh 0xaravindh added the area/security Issues pertaining to security label Dec 5, 2024
@0xaravindh 0xaravindh self-assigned this Dec 12, 2024
@0xaravindh 0xaravindh linked a pull request Dec 13, 2024 that will close this issue
Open
@peterzhongyi
Copy link
Collaborator

peterzhongyi commented Jan 9, 2025
edited
Loading

Hi @RedShiba, for some reason I couldn't reproduce the same set of ciphers that include TLS_RSA_WITH_3DES_EDE_CBC_SHA, I don't know if it is because the version differences of Agones(I'm using 1.46) or Kubernetes? I installed Agones with helm and followed https://agones.dev/site/docs/advanced/allocator-service/#server-tls-certificate, using cert-manager and the bash script for the self-signed certificate.

Screenshot 2025-01-08 at 4 30 01 PM

Can you still reproduce the issue? If so, can you give more details on how you installed Agones with TLS certificates for the allocator?

@RedShiba
Copy link
Author

RedShiba commented Jan 9, 2025

Hi, @peterzhongyi , I tested different versions of Agones locally. Yes, you are right. I can't reproduce the issue anymore since version 1.44 of Agones. Seems the issue was fixed here after updating the Go library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0xaravindh 0xaravindh

Labels
area/security Issues pertaining to security kind/feature New features for Agones
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set default TLS cipher suites if not configured 0xaravindh/agones
3 participants
@peterzhongyi @RedShiba @0xaravindh