diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
index 308d5ab83eb..56877f10417 100755
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@@ -559,3 +559,7 @@ export ETCD_PROGRESS_NOTIFY_INTERVAL="${ETCD_PROGRESS_NOTIFY_INTERVAL:-10m}"
 # It improves container image pull performance since most time is spent
 # unzipping the image layers to disk.
 export WINDOWS_ENABLE_PIGZ="${WINDOWS_ENABLE_PIGZ:-true}"
+
+# TLS_CIPHER_SUITES defines cipher suites allowed to be used by kube-apiserver. 
+# If this variable is unset or empty, kube-apiserver will allow its default set of cipher suites.
+export TLS_CIPHER_SUITES=""
diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh
index 7a7b28a7d66..86557c905f3 100755
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@@ -595,3 +595,7 @@ export ETCD_PROGRESS_NOTIFY_INTERVAL="${ETCD_PROGRESS_NOTIFY_INTERVAL:-10m}"
 # It improves container image pull performance since most time is spent
 # unzipping the image layers to disk.
 export WINDOWS_ENABLE_PIGZ="${WINDOWS_ENABLE_PIGZ:-true}"
+
+# TLS_CIPHER_SUITES defines cipher suites allowed to be used by kube-apiserver. 
+# If this variable is unset or empty, kube-apiserver will allow its default set of cipher suites.
+export TLS_CIPHER_SUITES=""
diff --git a/cluster/gce/gci/configure-kubeapiserver.sh b/cluster/gce/gci/configure-kubeapiserver.sh
index 045ea62b587..eab6932e6d2 100644
--- a/cluster/gce/gci/configure-kubeapiserver.sh
+++ b/cluster/gce/gci/configure-kubeapiserver.sh
@@ -92,6 +92,9 @@ function start-kube-apiserver {
     fi
     params+=" --tls-sni-cert-key=${OLD_MASTER_CERT_PATH},${OLD_MASTER_KEY_PATH}:${old_ips}"
   fi
+  if [[ -n "${TLS_CIPHER_SUITES:-}" ]]; then
+    params+=" --tls-cipher-suites=${TLS_CIPHER_SUITES}"
+  fi
   params+=" --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname"
   if [[ -s "${REQUESTHEADER_CA_CERT_PATH:-}" ]]; then
     params+=" --requestheader-client-ca-file=${REQUESTHEADER_CA_CERT_PATH}"