How To
Summary
You can use the tasks in this section to create MachineConfig objects that modify files, systemd unit files, and other operating system features running on OpenShift Container Platform nodes.
Objective
Create a file /etc/ssl/openssl.cnf on worker and master nodes
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1
Environment
Openshift Container Platform (OCP) 4.x
Steps
1-- Create the contents of the
chrony.conf
file and encode it as base64.
$ cat << EOF | base64
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1
EOF
Output
W3N5c3RlbV9kZWZhdWx0X3NlY3RdCk1pblByb3RvY29sID0gVExTdjEuMgpDaXBoZXJTdHJpbmcgPSBERUZBVUxUQFNFQ0xFVkVMPTEK
2 -- Create the
MachineConfig
object file, replacing the base64 string with the one you just created. Create MachineConfig files for each type of machine that your cluster uses:This example for worker node create 96-openssl-cnf-worker.yaml
$ cat << EOF > ./96-openssl-cnf-worker.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: 96-openssl-cnf-worker
spec:
config:
ignition:
config: {}
security:
tls: {}
timeouts: {}
version: 3.1.0
networkd: {}
passwd: {}
storage:
files:
- contents:
source: data:text/plain;charset=utf-8;base64,W3N5c3RlbV9kZWZhdWx0X3NlY3RdCk1pblByb3RvY29sID0gVExTdjEuMgpDaXBoZXJTdHJpbmcgPSBERUZBVUxUQFNFQ0xFVkVMPTEK
mode: 420
overwrite: true
path: /etc/ssl/openssl.cnf
osImageURL: ""
EOF
Example for a master node , create 96-openssl-cnf-master.yaml ,
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: master
name: 96-openssl-cnf-master
spec:
config:
ignition:
config: {}
security:
tls: {}
timeouts: {}
version: 3.1.0
networkd: {}
passwd: {}
storage:
files:
- contents:
source: data:text/plain;charset=utf-8;base64,W3N5c3RlbV9kZWZhdWx0X3NlY3RdCk1pblByb3RvY29sID0gVExTdjEuMgpDaXBoZXJTdHJpbmcgPSBERUZBVUxUQFNFQ0xFVkVMPTEK
mode: 420
overwrite: true
path: /etc/ssl/openssl.cnf
osImageURL: ""
oc apply -f ./96-openssl-cnf-worker.yaml
oc apply -f ./96-openssl-cnf-master.yaml
Note that all the nodes in the group will restart consecutively applying the changes to the coreOS
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSCSJL","label":"IBM Cloud Pak for Applications"},"ARM Category":[{"code":"a8m0z0000001gS5AAI","label":"OpenShift (OCP)"}],"ARM Case Number":"TS006040137","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
03 July 2021
UID
ibm16469645