MEDIUM M11: Ingress TLS Ciphers P3

🟡 Pending 📦 Compare Branch

Overview

This remediation configures the OpenShift Ingress Controller with a custom TLS security profile that specifies approved cipher suites.

Settings

Setting Description
tlsSecurityProfile Custom TLS profile with specific cipher suites

Implementation

Modify the IngressController custom resource:

apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: default
  namespace: openshift-ingress-operator
spec:
  tlsSecurityProfile:
    type: Custom
    custom:
      ciphers:
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
        - ECDHE-ECDSA-AES128-GCM-SHA256
        - ECDHE-RSA-AES128-GCM-SHA256
        - ECDHE-ECDSA-AES256-GCM-SHA384
        - ECDHE-RSA-AES256-GCM-SHA384
      minTLSVersion: VersionTLS12

Compliance Checks Remediated

Check Profile Docs
ocp4-cis-ingress-controller-tls-cipher-suites CIS 📖

Source Remediation Files

  • medium/ocp4-cis-ingress-controller-tls-cipher-suites.yaml

Verification

Check current TLS profile:

oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.spec.tlsSecurityProfile}'

Security Impact

Controlling TLS cipher suites:

  • Prevents use of weak ciphers
  • Ensures forward secrecy with ECDHE
  • Blocks deprecated protocols (SSLv3, TLS 1.0, TLS 1.1)
  • Meets PCI-DSS and other compliance requirements
← M10 All Groups M12 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only