This issue was reported in the Kubernetes Security Audit Report

Description
Kubelet allows administrators to configure TLS connections to use a variety of insecure cipher suites. In particular it supports the use of RC4 and 3DES in its symmetric suites. RC4 has known bias in its output and should never be used, while 3DES is an extremely deprecated 64-bit block cipher which is both slow and unneeded. Additionally, non-forward secure key exchange is supported (TLS_RSA_*). This, along with SHA-based cipher suites, should be deprecated and replaced.

Recommendation
Remove support for any cipher suite that uses RC4 or 3DES as well as non-forward secure key exchange suites (TLS_RSA_*). Deprecate all but the following cipher suite options for TLS versions up through 1.2:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Use the following cipher suites for TLS 1.3:

TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384

Anything else we need to know?:

See #81146 for current status of all issues created from these findings.

The vendor gave this issue an ID of TOB-K8S-037 and it was finding 37 of the report.

The vendor considers this issue Informational Severity.

To view the original finding, begin on page 89 of the Kubernetes Security Review Report

Environment:

• Kubernetes version: 1.13.4