diff --git a/staging/src/k8s.io/apiserver/pkg/server/config.go b/staging/src/k8s.io/apiserver/pkg/server/config.go index 6efd6e8bef3..cf33ee4b2a9 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/config.go +++ b/staging/src/k8s.io/apiserver/pkg/server/config.go @@ -185,6 +185,14 @@ type SecureServingInfo struct { // ClientCA is the certificate bundle for all the signers that you'll recognize for incoming client certificates ClientCA *x509.CertPool + + // MinTLSVersion optionally overrides the minimum TLS version supported. + // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). + MinTLSVersion uint16 + + // CipherSuites optionally overrides the list of allowed cipher suites for the server. + // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). + CipherSuites []uint16 } // NewConfig returns a Config struct with the default values diff --git a/staging/src/k8s.io/apiserver/pkg/server/serve.go b/staging/src/k8s.io/apiserver/pkg/server/serve.go index 4a1da40d58e..e5f4b862e1f 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/serve.go +++ b/staging/src/k8s.io/apiserver/pkg/server/serve.go @@ -56,6 +56,13 @@ func (s *GenericAPIServer) serveSecurely(stopCh <-chan struct{}) error { }, } + if s.SecureServingInfo.MinTLSVersion > 0 { + secureServer.TLSConfig.MinVersion = s.SecureServingInfo.MinTLSVersion + } + if len(s.SecureServingInfo.CipherSuites) > 0 { + secureServer.TLSConfig.CipherSuites = s.SecureServingInfo.CipherSuites + } + if s.SecureServingInfo.Cert != nil { secureServer.TLSConfig.Certificates = []tls.Certificate{*s.SecureServingInfo.Cert} }