Im trying to update the tls-cipher-suites for the daemonset.apps/node-exporter of openshift-monitoring namespace using oc edit daemonset.apps/node-exporter -n openshift-monitoring
.
.
.
- args:
- --secure-listen-address=:9100
- --upstream=http://127.0.0.1:9101/
- --tls-cert-file=/etc/tls/private/tls.crt
- --tls-private-key-file=/etc/tls/private/tls.key
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
image: quay.io/coreos/kube-rbac-proxy:v0.3.1
imagePullPolicy: IfNotPresent
name: kube-rbac-proxy
ports:
.
.
.
Once the tls-cipher-suites are updated, i see that node-exporter pods are getting re-deployed. But when I check the daemonset.apps/node-exporter using oc get -o yaml daemonset.apps/node-exporter -n openshift-monitoring i see that the updates done to tls-cipher-suites are lost and it has got re-set to old value.
How can i set this value permanently?
Note: The purpose of updating tls-cipher-suites is Nessus scan has reported SWEET32 vulnerability for port 9100 for the Medium Strength Ciphers: ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA.
Openshift 3.11 seems to indeed be using openshift_cluster_monitoring_operator. This is why when you delete or change anything it recovers it to its defaults.
It manages node-exporter installation and it doesn't seem to allow for customizing node-exporter installation. Take a look at the cluster-monitoring-operator docs
My recommendation would be to uninstall openshift monitoring operator and install node-exporter yourself from official node-exporter repository or with helm chart where you actually have full controll over deployment.