Update Default Value for Chart defaultSSLPolicy because of Update TLS to version 1.2 or higher

[riita10069]

Issue

#4054

Description

To ensure compliance with modern security standards and to mitigate vulnerabilities associated with older TLS versions, we need to configure the Application Load Balancer (ALB) to use an SSL policy that enforces TLS 1.2 or higher. This change aligns with industry best practices and AWS recommendations.

Requirements:

Update the ALB's SSL policy to one that supports only TLS 1.2 and TLS 1.3.

Recommended policies include:
ELBSecurityPolicy-TLS13-1-2-2021-06

Verify that the updated policy disables support for deprecated protocols such as TLS 1.0 and TLS 1.1.

Ensure compatibility with all client systems accessing the ALB.

Justification:

Security Compliance: Industry standards such as PCI DSS, NIST, and others mandate the use of secure protocols like TLS 1.2 or higher.

AWS Recommendations: AWS documentation recommends using the latest predefined security policies, such as ELBSecurityPolicy-TLS13-1-2-2021-06, which support TLS 1.3 and are backward-compatible with TLS

• https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html
• https://trendmicro.com/cloudoneconformity/knowledge-base/aws/ELBv2/security-policy.html

Mitigation of Vulnerabilities: Older protocols (TLS 1.0/1.1) are considered insecure and have been deprecated by most modern browsers and operating systems.

https://trendmicro.com/cloudoneconformity/knowledge-base/aws/ELBv2/security-policy.html

Checklist

• Added tests that cover your change (if possible)
• Added/modified documentation as required (such as the README.md, or the docs directory)
• Manually tested
• Made sure the title of the PR is a good description that can go into the release notes

BONUS POINTS checklist: complete for good vibes and maybe prizes?! 🤯

• Backfilled missing tests for code in same general area 🎉
• Refactored something and made the world a better place 🌟

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: riita10069
Once this PR has been reviewed and has the lgtm label, please assign wweiwei-li for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[guessi]

Quoted from doc

• The ELBSecurityPolicy-TLS13-1-2-2021-06 policy is the default security policy for HTTPS listeners created using the AWS Management Console.
• The ELBSecurityPolicy-2016-08 policy is the default security policy for HTTPS listeners created using the AWS CLI.

Keep in mind that changing the values.yaml could be a breaking change for those who don't set values while helm install/upgrade.

---

FYI, default of the defaultSSLPolicy will be set via flag here,

• https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/pkg/config/controller_config.go#L138-L139

where the default definition could be found at

• https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/pkg/config/controller_config.go#L27

[zac-nixon]

+1. This change is particularly dangerous. If you wish to enforce SSL policy enforcement, I would suggest a feature that sets the default at the controller level using feature flags.

[shraddhabang]

We already have a controller flag default-ssl-policy which customers can use to set their desired policy. The controller level default is ELBSecurityPolicy-2016-08 which aligns with our CLI behavior mentioned earlier. So I don't think this is a valid change as this could break existing customer.