1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
|
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: apiservers.config.openshift.io
spec:
group: config.openshift.io
scope: Cluster
preserveUnknownFields: false
names:
kind: APIServer
singular: apiserver
plural: apiservers
listKind: APIServerList
versions:
- name: v1
served: true
storage: true
subresources:
status: {}
"validation":
"openAPIV3Schema":
description: APIServer holds configuration (like serving certificates, client
CA and CORS domains) shared by all API servers in the system, among them especially
kube-apiserver and openshift-apiserver. The canonical name of an instance
is 'cluster'.
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
type: object
properties:
additionalCORSAllowedOrigins:
description: additionalCORSAllowedOrigins lists additional, user-defined
regular expressions describing hosts for which the API server allows
access using the CORS headers. This may be needed to access the API
and the integrated OAuth server from JavaScript applications. The
values are regular expressions that correspond to the Golang regular
expression language.
type: array
items:
type: string
clientCA:
description: 'clientCA references a ConfigMap containing a certificate
bundle for the signers that will be recognized for incoming client
certificates in addition to the operator managed signers. If this
is empty, then only operator managed signers are valid. You usually
only have to set this if you have your own PKI you wish to honor client
certificates from. The ConfigMap must exist in the openshift-config
namespace and contain the following required fields: - ConfigMap.Data["ca-bundle.crt"]
- CA bundle.'
type: object
required:
- name
properties:
name:
description: name is the metadata.name of the referenced config
map
type: string
encryption:
description: encryption allows the configuration of encryption of resources
at the datastore layer.
type: object
properties:
type:
description: "type defines what encryption type should be used to
encrypt resources at the datastore layer. When this field is unset
(i.e. when it is set to the empty string), identity is implied.
The behavior of unset can and will change over time. Even if
encryption is enabled by default, the meaning of unset may change
to a different encryption type based on changes in best practices.
\n When encryption is enabled, all sensitive resources shipped
with the platform are encrypted. This list of sensitive resources
can and will change over time. The current authoritative list
is: \n 1. secrets 2. configmaps 3. routes.route.openshift.io
\ 4. oauthaccesstokens.oauth.openshift.io 5. oauthauthorizetokens.oauth.openshift.io"
type: string
enum:
- ""
- identity
- aescbc
servingCerts:
description: servingCert is the TLS cert info for serving secure traffic.
If not specified, operator managed certificates will be used for serving
secure traffic.
type: object
properties:
namedCertificates:
description: namedCertificates references secrets containing the
TLS cert info for serving secure traffic to specific hostnames.
If no named certificates are provided, or no named certificates
match the server name as understood by a client, the defaultServingCertificate
will be used.
type: array
items:
description: APIServerNamedServingCert maps a server DNS name,
as understood by a client, to a certificate.
type: object
properties:
names:
description: names is a optional list of explicit DNS names
(leading wildcards allowed) that should use this certificate
to serve secure traffic. If no names are provided, the implicit
names will be extracted from the certificates. Exact names
trump over wildcard names. Explicit names defined here trump
over extracted implicit names.
type: array
items:
type: string
servingCertificate:
description: 'servingCertificate references a kubernetes.io/tls
type secret containing the TLS cert info for serving secure
traffic. The secret must exist in the openshift-config namespace
and contain the following required fields: - Secret.Data["tls.key"]
- TLS private key. - Secret.Data["tls.crt"] - TLS certificate.'
type: object
required:
- name
properties:
name:
description: name is the metadata.name of the referenced
secret
type: string
tlsSecurityProfile:
description: "tlsSecurityProfile specifies settings for TLS connections
for externally exposed servers. \n If unset, a default (which may
change between releases) is chosen. Note that only Old and Intermediate
profiles are currently supported, and the maximum available MinTLSVersions
is VersionTLS12."
type: object
properties:
custom:
description: "custom is a user-defined TLS security profile. Be
extremely careful using a custom profile as invalid configurations
can be catastrophic. An example custom profile looks like this:
\n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256
\ minTLSVersion: TLSv1.1"
type: object
properties:
ciphers:
description: "ciphers is used to specify the cipher algorithms
that are negotiated during the TLS handshake. Operators may
remove entries their operands do not support. For example,
to use DES-CBC3-SHA (yaml): \n ciphers: - DES-CBC3-SHA"
type: array
items:
type: string
minTLSVersion:
description: "minTLSVersion is used to specify the minimal version
of the TLS protocol that is negotiated during the TLS handshake.
For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):
\n minTLSVersion: TLSv1.1 \n NOTE: currently the highest
minTLSVersion allowed is VersionTLS12"
type: string
nullable: true
intermediate:
description: "intermediate is a TLS security profile based on: \n
https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
\ - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
\ - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384
\ minTLSVersion: TLSv1.2"
type: object
nullable: true
modern:
description: "modern is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported."
type: object
nullable: true
old:
description: "old is a TLS security profile based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
\ - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
\ - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384
\ - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256
\ - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA -
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384
\ - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA -
DHE-RSA-AES128-SHA256 - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256
\ - AES256-GCM-SHA384 - AES128-SHA256 - AES256-SHA256
\ - AES128-SHA - AES256-SHA - DES-CBC3-SHA minTLSVersion:
TLSv1.0"
type: object
nullable: true
type:
description: "type is one of Old, Intermediate, Modern or Custom.
Custom provides the ability to specify individual TLS security
profile parameters. Old, Intermediate and Modern are TLS security
profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
\n The profiles are intent based, so they may change over time
as new ciphers are developed and existing ciphers are found to
be insecure. Depending on precisely which ciphers are available
to a process, the list may be reduced. \n Note that the Modern
profile is currently not supported because it is not yet well
adopted by common software libraries."
type: string
status:
type: object
|