VPA admission-controller: About 0.0.0.0:8000 listen and insecure tls protocols

[novahe]

I found some listening ports with 0.0.0.0 during the scanning process, such as 8000. Moreover, the insecure TLS 1.0 and 1.1 protocols, as well as insecure cipher suites (for example, using RSA as the key exchange algorithm and cipher suites containing CBC symmetric cipher algorithms in the TLS protocol) are being used for port 8000. May I ask if there is any plan to address these issues?

[voelzmo]

The admission-controller is a webhook, which needs to expose an endpoint. The default port for this is 8000.

Regarding the findings for the TLS protocols, it would be helpful if you pointed out where you found TLS 1.0 being used. Note that the flag --min-tls-version exists, which you can use to adjust the minimum required TLS version to your liking. It defaults to tls1_2, which makes me curious where you found TLS 1.0.

Hope that helps!

[voelzmo]

/area vertical-pod-autoscaler
/kind support

[adrianmoisey]

Can you also mention which version of the VPA you are running?

[novahe]

We use 1.2.2 and note that the latest version is supported. We are going to try the latest version. Thank you very much for your support. @voelzmo @adrianmoisey

[adrianmoisey]

We use 1.2.2 and note that the latest version is supported. We are going to try the latest version. Thank you very much for your support.

I think 1.2.2 is new enough that we can help you here.

I think the comments that Marco left are worth looking into