Stats
Actions
Tags
From prodsec-skills
Enforces TLS compliance on Kubernetes and OpenShift Ingresses, Routes, and Services. Audits TLS version, certificates, and post-quantum readiness.
How this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:tls-complianceThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Enforce strong TLS configuration across Kubernetes workloads to prevent protocol downgrade attacks, weak cipher exploitation, and certificate-related outages. For algorithm-level guidance (cipher selection, key sizes, post-quantum algorithms), see the [`algorithm-selection`](../algorithm-selection/SKILL.md) skill.
Enforce strong TLS configuration across Kubernetes workloads to prevent protocol downgrade attacks, weak cipher exploitation, and certificate-related outages. For algorithm-level guidance (cipher selection, key sizes, post-quantum algorithms), see the algorithm-selection skill.
Default to TLS 1.3 for all new services. TLS 1.3 is the strongest available protocol — it mandates forward secrecy, uses only AEAD ciphers, eliminates legacy cipher negotiation, reduces handshake latency, and is inherently post-quantum ready (no static RSA key exchange).
For legacy services that cannot yet support TLS 1.3, require TLS 1.2 as the minimum. Disable TLS 1.0 and 1.1 — both are deprecated by RFC 8996.
| Version | Status | Recommendation |
|---|---|---|
| TLS 1.3 | Current | Default for new services — PQC-ready, AEAD-only |
| TLS 1.2 | Acceptable | Minimum for legacy — AEAD cipher suites only |
| TLS 1.1 | Deprecated | Disable — RFC 8996 |
| TLS 1.0 | Deprecated | Disable — RFC 8996 |
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app
annotations:
nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.3"
spec:
tls:
- hosts:
- app.example.com
secretName: app-tls
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: app
spec:
tls:
termination: edge
insecureEdgeTerminationPolicy: Redirect
to:
kind: Service
name: app-svc
OpenShift Note: Configure the IngressController's TLS security profile to enforce minimum versions cluster-wide:
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
name: default
namespace: openshift-ingress-operator
spec:
tlsSecurityProfile:
type: Modern
Available profiles: Old (TLS 1.0+), Intermediate (TLS 1.2+), Modern (TLS 1.3 only, recommended for new deployments), Custom.
OpenShift components must not hardcode TLS settings. Hardcoded TLS configuration creates a security vulnerability because it cannot be updated when the platform's security policy evolves — particularly for post-quantum cryptography readiness. This is a release blocker for OCP 5.0.
Components must dynamically inherit TLS settings from one of three central configuration sources:
| Configuration Source | Use When |
|---|---|
API Server (apiserver.config.openshift.io) | Default for most components |
Kubelet (kubeletconfig) | Components running on nodes |
Ingress (ingresscontroller.operator.openshift.io) | Components serving ingress traffic |
If a component has a legitimate reason to deviate from the cluster default (e.g., environment-specific constraints), it may implement its own knob with these conditions: it is clearly documented, and by default (or unset) it follows the cluster-wide configuration.
Run openshift/tls-scanner to confirm all service endpoints comply with the configured TLS policy after making changes.
TLS clients must verify that the server certificate's Subject Alternative Name (SAN) matches the requested hostname. Certificates with mismatched hostnames indicate misconfiguration or potential MITM.
Servers must present the full certificate chain (leaf + intermediates). Missing intermediate certificates cause validation failures in clients that don't have them cached.
Monitor certificate expiry and alert before expiration. A common threshold is 30 days for warning, 7 days for critical. Expired certificates cause hard outages with no graceful degradation.
Avoid self-signed certificates in production. For internal services, use a private CA (self-signed root issuing leaf certificates) rather than individual self-signed certificates — this enables chain validation and centralized trust management.
Set up test endpoints to validate TLS configuration before deploying to production. This pattern uses nginx to create endpoints with specific TLS versions for verification.
Create a self-signed certificate and an nginx ConfigMap that only accepts TLS 1.3:
openssl req -x509 -nodes -days 1 -newkey rsa:2048 \
-keyout /tmp/tls.key -out /tmp/tls.crt \
-subj "/CN=tls-test.tls-test-ns.svc"
kubectl create namespace tls-test-ns
kubectl create secret tls tls-test-cert \
--cert=/tmp/tls.crt --key=/tmp/tls.key \
-n tls-test-ns
kubectl create configmap nginx-tls13-only -n tls-test-ns --from-literal=default.conf='
server {
listen 8443 ssl;
ssl_certificate /etc/tls/tls.crt;
ssl_certificate_key /etc/tls/tls.key;
ssl_protocols TLSv1.3;
location / { return 200 "tls13-only"; }
}'
Deploy the test workload:
apiVersion: apps/v1
kind: Deployment
metadata:
name: tls13-only
namespace: tls-test-ns
spec:
replicas: 1
selector:
matchLabels:
app: tls13-only
template:
metadata:
labels:
app: tls13-only
spec:
containers:
- name: nginx
image: nginxinc/nginx-unprivileged:1.27
ports:
- containerPort: 8443
volumeMounts:
- name: tls
mountPath: /etc/tls
readOnly: true
- name: conf
mountPath: /etc/nginx/conf.d
volumes:
- name: tls
secret:
secretName: tls-test-cert
- name: conf
configMap:
name: nginx-tls13-only
---
apiVersion: v1
kind: Service
metadata:
name: tls13-only-svc
namespace: tls-test-ns
spec:
selector:
app: tls13-only
ports:
- port: 443
targetPort: 8443
From a pod in the cluster, confirm only TLS 1.3 is accepted:
# Should succeed (TLS 1.3)
openssl s_client -connect tls13-only-svc.tls-test-ns.svc:443 -tls1_3
# Should fail (TLS 1.2 rejected)
openssl s_client -connect tls13-only-svc.tls-test-ns.svc:443 -tls1_2
The most impactful PQC preparation step is adopting TLS 1.3 now. TLS 1.3 eliminates static RSA key exchange (the primary quantum-vulnerable pattern) and mandates forward secrecy, meaning even if a server's long-term key is broken by a future quantum computer, past session keys cannot be recovered.
"Harvest now, decrypt later" attacks make long-lived data vulnerable today — encrypted traffic captured now could be decrypted once quantum computers mature.
TLS 1.3 supports Hybrid ML-KEM key encapsulation when both endpoints have it enabled. Clusters using the Intermediate profile (TLS 1.2 minimum) do not prevent this — clients capable of TLS 1.3 will still negotiate it when the server offers it. This means PQC-resilient key exchange can work today without requiring the Modern (TLS 1.3 only) profile.
For detailed algorithm selection and post-quantum algorithm guidance, see algorithm-selection.
| Guidance | Certsuite Test ID | Profiles |
|---|---|---|
| TLS version enforcement | networking-tls-minimum-version | Telco/Far-Edge/Extended: mandatory, Non-Telco: optional |
npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsImplements TLS security profiles for OpenShift operators and workloads. Guides reading config from APIServer CR and applying to webhook/metrics servers, HTTP, and gRPC endpoints with Legacy/Strict modes.
Configures HTTPS with TLS 1.2+ enforcement, modern cipher suites, certificate management, and HSTS for web servers, API gateways, and load balancers.
Configures TLS 1.3 on nginx, Apache, and Python ssl apps; validates with openssl and testssl.sh. Use for secure communications, compliance, and disabling legacy TLS.