From 89c299d7e98bccdac4781c92daf0051ae0bbd036 Mon Sep 17 00:00:00 2001
From: Derek Nola <derek.nola@suse.com>
Date: Wed, 17 Jul 2024 10:51:31 -0700
Subject: [PATCH] x

Signed-off-by: Derek Nola <derek.nola@suse.com>
---
 package/cfg/k3s-cis-1.24-hardened/node.yaml   | 2 +-
 package/cfg/k3s-cis-1.24-permissive/node.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/cfg/k3s-cis-1.24-hardened/node.yaml b/package/cfg/k3s-cis-1.24-hardened/node.yaml
index 894432f6..82c87ea4 100644
--- a/package/cfg/k3s-cis-1.24-hardened/node.yaml
+++ b/package/cfg/k3s-cis-1.24-hardened/node.yaml
@@ -422,7 +422,7 @@ groups:
         remediation: |
           If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set `TLSCipherSuites` to
           kubelet-arg:
-          - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
+          - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
           or to a subset of these values.
           If using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites=<same values as above>"
           Based on your system, restart the k3s service. For example,
diff --git a/package/cfg/k3s-cis-1.24-permissive/node.yaml b/package/cfg/k3s-cis-1.24-permissive/node.yaml
index 4b7ba1b7..17303b9e 100644
--- a/package/cfg/k3s-cis-1.24-permissive/node.yaml
+++ b/package/cfg/k3s-cis-1.24-permissive/node.yaml
@@ -428,7 +428,7 @@ groups:
         remediation: |
           If using a K3s config file /etc/rancher/k3s/config.yaml, edit the file to set `TLSCipherSuites` to
           kubelet-arg:
-          - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
+          - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
           or to a subset of these values.
           If using the command line, add the K3s flag --kubelet-arg="tls-cipher-suites=<same values as above>"
           Based on your system, restart the k3s service. For example,