Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsecure Default TLS Policy because of the AGIC controller using old network API version (< 2023-02-01) and deprecated Azure SDK #1620

Open
zioproto opened this issue Jun 14, 2024 · 3 comments
Open

Unsecure Default TLS Policy because of the AGIC controller using old network API version (< 2023-02-01) and deprecated Azure SDK #1620

zioproto opened this issue Jun 14, 2024 · 3 comments

Comments

@zioproto
Copy link

Looking at this line of code:

application-gateway-kubernetes-ingress/pkg/azure/client.go

Line 15 in 8bc1e63

n "github.com/Azure/azure-sdk-for-go/services/network/mgmt/2021-03-01/network"

I understand the AGIC controller is using a deprecated Azure SDKs and should upgraded following this guide:
https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/MIGRATION_GUIDE.md

There is an impact on security. Because the deprecated Azure SDK consumes an ARM API version lower than 2023-02-01 in the Default TLS policy the minimum protocol version is set to TLS 1.0

This was originally reported by a customer here:
Azure/terraform-azurerm-aks#532

How this is actionable ?
Please patch the code to use API versions 2023-02-01 or higher, then the minimum TLS protocol version is set to 1.2

Documentation reference:
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview#default-tls-policy

Cc: @chixcancode @JackStromberg
@ralph-tice
Copy link

In addition to the default here, the workaround of applying the annotation explicitly on the Ingress resource doesn't result in the SSL policy being applied by AGIC:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress-all
  annotations:
    kubernetes.io/ingress.class: azure/application-gateway
    appgw.ingress.kubernetes.io/ssl-redirect: "true"
    appgw.ingress.kubernetes.io/ssl-policy: "AppGwSslPolicy20220101"

despite the annotation being visible in the portal:
image

@zioproto
Copy link
Author

zioproto commented Oct 3, 2024

@palma21 @JackStromberg could you please check if this GitHub issue is actionable to the AKS product team ?

My concern is that Application Gateways created by AGIC have a Default TLS policy with the minimum protocol version set to TLS 1.0

thank you

@JackStromberg
Copy link
Member

JackStromberg commented Oct 4, 2024
edited
Loading

Acknowledging this ask, but don't have an ETA on when the behavior will change in AGIC.

If using Application Gateway for Containers, we enforce TLS 1.2 or greater making it a non-issue in that solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zioproto @ralph-tice @JackStromberg