kubernetesopenshiftopenshift-originokdnessus

Unable to update the tls-cipher-suites for node exporter in openshift 3.11


Im trying to update the tls-cipher-suites for the daemonset.apps/node-exporter of openshift-monitoring namespace using oc edit daemonset.apps/node-exporter -n openshift-monitoring

.
.
.
      - args:
        - --secure-listen-address=:9100
        - --upstream=http://127.0.0.1:9101/
        - --tls-cert-file=/etc/tls/private/tls.crt
        - --tls-private-key-file=/etc/tls/private/tls.key
        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        image: quay.io/coreos/kube-rbac-proxy:v0.3.1
        imagePullPolicy: IfNotPresent
        name: kube-rbac-proxy
        ports:
.
.
.

Once the tls-cipher-suites are updated, i see that node-exporter pods are getting re-deployed. But when I check the daemonset.apps/node-exporter using oc get -o yaml daemonset.apps/node-exporter -n openshift-monitoring i see that the updates done to tls-cipher-suites are lost and it has got re-set to old value. How can i set this value permanently?

Note: The purpose of updating tls-cipher-suites is Nessus scan has reported SWEET32 vulnerability for port 9100 for the Medium Strength Ciphers: ECDHE-RSA-DES-CBC3-SHA and DES-CBC3-SHA.


Solution

  • Openshift 3.11 seems to indeed be using openshift_cluster_monitoring_operator. This is why when you delete or change anything it recovers it to its defaults.

    It manages node-exporter installation and it doesn't seem to allow for customizing node-exporter installation. Take a look at the cluster-monitoring-operator docs

    My recommendation would be to uninstall openshift monitoring operator and install node-exporter yourself from official node-exporter repository or with helm chart where you actually have full controll over deployment.