SUSE Support

Here When You Need Us

How to change etcd cipher suite

This document (000020123) is provided subject to the disclaimer at the end of this document.

Environment

Rancher

Situation

Hardening ETCD cluster communication

Resolution

Synopsis:

This article will walk Rancher administrators through hardening the cluster communication between etcd nodes. We'll go over configuring etcd to use specific ciphers which enable stronger encryption for securing intra-cluster etcd traffic.

Configuring etcd (rke and Rancher UI):

To make the modifications we'll be configuring our rke cluster YAML spec. This setting would be defined, then applied at the command line with the rke CLI, or alternately via the Rancher UI. From within the Rancher UI, navigate to the cluster you're looking to modify, and click edit under the 3 dot menu. From there, you should see a button labeled 'Edit as Yaml'. At the cluster YAML spec view we define the cipher-suites parameter under the etcd service definition. We recommend testing this out in a non-vital cluster before rolling out on important clusters to become familiar with the process.

services:
  etcd:
    extra_args:
      cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
      election-timeout: "5000"
      heartbeat-interval: "500"

Note:

The cipher suites defined in the example could trade off speed for stronger encryption. Consider the level of ciphers in use and how they could impact the performance of an etcd cluster. Testing should be done to factor in the spec of your hosts (CPU, memory, disk, network, etc...) and the typical types of interacting with Kubernetes as well as the number of resources under management within the k8s cluster.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020123
  • Creation Date: 06-May-2021
  • Modified Date:28-Mar-2024
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.