Update ciphers in ingress controller remediation

rhmdnd · rhmdnd · commit 79db34709356 · 2024-07-26T15:58:32.000-05:00
Since we're updating the recommended OCIL, we can also update the remediation shipped with the content so that it matches. This will allow users to apply a remediation that updates their TLS ciphers so their either Recommended or Secure. This commit has a dependency on a permission change to the operator cluster role so that it can actually apply the remediation at runtime: ComplianceAsCode/compliance-operator#558
diff --git a/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml b/applications/openshift/kubelet/kubelet_configure_tls_cipher_suites_ingresscontroller/kubernetes/shared.yml
@@ -11,6 +11,12 @@ spec:
       ciphers:
       - ECDHE-ECDSA-AES128-GCM-SHA256
       - ECDHE-RSA-AES128-GCM-SHA256
+      - ECDHE-ECDSA-CHACHA20-POLY1305
       - ECDHE-RSA-AES256-GCM-SHA384
+      - ECDHE-RSA-CHACHA20-POLY1305
+      - ECDHE-ECDSA-AES256-GCM-SHA384
+      - TLS_AES_128_GCM_SHA256
+      - TLS_AES_256_GCM_SHA384
+      - TLS_CHACHA20_POLY1305_SHA256
       minTLSVersion: VersionTLS12
     type: Custom
