TLS Settings
Changing the default TLS settings depends on the chosen installation method.
Running Rancher in a highly available Kubernetes cluster
When you install Rancher inside of a Kubernetes cluster, TLS is offloaded at the cluster’s ingress controller. The possible TLS settings depend on the used ingress controller:
-
nginx-ingress-controller (default for RKE1 and RKE2): Default TLS Version and Ciphers.
-
traefik (default for K3s): TLS Options.
Running Rancher in a single Docker container
The default TLS configuration only accepts TLS 1.2 and secure TLS cipher suites. You can change this by setting the following environment variables:
Parameter | Description | Default | Available options |
---|---|---|---|
|
Minimum TLS version |
|
|
|
Allowed TLS cipher suites |
|
Agent TLS Enforcement
The agent-tls-mode
setting controls how Rancher’s agents (cluster-agent
, fleet-agent
, and system-agent
) validate Rancher’s certificate.
When the value is set to strict
, Rancher’s agents only trust certificates generated by the Certificate Authority contained in the cacerts
setting.
When the value is set to system-store
, Rancher’s agents trust any certificate generated by a public Certificate Authority contained in the operating system’s trust store including those signed by authorities such as Let’s Encrypt. This can be a security risk, since any certificate generated by these external authorities, which are outside the user’s control, are considered valid in this state.
While the strict
option enables a higher level of security, it requires Rancher to have access to the CA which generated the certificate visible to the agents. In the case of certain certificate configurations (notably, external certificates), this is not automatic, and extra configuration is needed. See the installation guide for more information on which scenarios require extra configuration.
In Rancher v2.8, this setting defaults to system-store
for new installs.
Preparing for the Setting Change
Each cluster contains a condition in the status field called AgentTlsStrictCheck
. If AgentTlsStrictCheck
is set to "True"
, this indicates that the agents for the cluster are ready to operate in strict
mode. You can manually inspect each cluster to see if they are ready using the Rancher UI or a kubectl command such as the following:
## the below command skips ouputs $CLUSTER_NAME,$STATUS for all non-local clusters
kubectl get cluster.management.cattle.io -o jsonpath='{range .items[?(@.metadata.name!="local")]}{.metadata.name},{.status.conditions[?(@.type=="AgentTlsStrictCheck")].status}{"\n"}{end}'
Changing the Setting
You can change the setting using the agentTLSMode
helm chart option.
Depending on your cert setup, additional action may be required, such as uploading the Certificate Authority which signed your certs. Review the installation guide before changing the setting to see if any additional requirements apply to your setup. |
Overriding the Setting Validation Checks
In some cases, you may want to override the check ensuring all agents can accept the new TLS configuration:
Rancher checks the status of all downstream clusters to prevent outages. Overriding this check is not recommended, and should be done with great caution. |
-
As an admin, generate a kubeconfig for the local cluster. In the below examples, this was saved to the
local_kubeconfig.yaml
file. -
Retrieve the current setting and save it to
setting.yaml
:kubectl get setting agent-tls-mode -o yaml --kubeconfig=local_kubeconfig.yaml > setting.yaml
-
Update the
setting.yaml
file, replacingvalue
withstrict
. Adding thecattle.io/force: "true"
annotation overrides the cluster condition check, and should only be done with great care:
Including the |
apiVersion: management.cattle.io/v3
customized: false
default: strict
kind: Setting
metadata:
name: agent-tls-mode
annotations:
cattle.io/force: "true"
source: ""
value: strict
-
Apply the new version of the setting:
kubectl apply -f setting.yaml --kubeconfig=local_kubeconfig.yaml