How to configure a certain set of SSL ciphers for secure communication in nginx ingress controller

This document (000021312) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.6.x and 2.7.x

Situation

Certain SSL ciphers must be configured for secure communication in the Nginx controller.

Resolution

Add the ssl-ciphers: under data: in the configmap of rke2-ingress-nginx-controller in the kube-system namespace

kubectl edit cm -n kube-system rke2-ingress-nginx-controller 
apiVersion: v1
data:
  allow-snippet-annotations: "false"
  ssl-ciphers: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: rke2-ingress-nginx
    meta.helm.sh/release-namespace: kube-system
  creationTimestamp: "2023-04-04T06:49:23Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: rke2-ingress-nginx
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: rke2-ingress-nginx
    app.kubernetes.io/part-of: rke2-ingress-nginx
    app.kubernetes.io/version: 1.2.0
    helm.sh/chart: rke2-ingress-nginx-4.1.008
  name: rke2-ingress-nginx-controller
  namespace: kube-system
  resourceVersion: "185326591"
  uid: af0364c8-4356-4047-ad6d-641400726725

Check if the SSL ciphers are captured is captured by the below command. Exec into the pod

 kubectl exec -it rke2-ingress-nginx-controller-m467j -n kube-system -- bash
www-data@rke2-ingress-nginx-controller-m467j:/etc/nginx> /dbg conf | grep -i cipher
        # allow configuring custom ssl ciphers
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
        ssl_prefer_server_ciphers on;

Note - The same steps can be applied on rke cluster also. However, the configmap name is the rke-ingress-controller under kube-system namespace

Status

Top Issue

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:000021312
Creation Date: 28-Dec-2023
Modified Date:22-Jul-2024
- SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Report a Software Vulnerability

Go to Customer Center

SUSE Support

Here When You Need Us