1. Home
  2. Containers
  3. How can I disable weak TLS ciphers on the Kube-apiserver?

How can I disable weak TLS ciphers on the Kube-apiserver?

Purpose

By default, the kube-apiserver in Kubernetes accepts requests from clients using TLS v1.2 ciphers. In some circumstances, you may wish to disable this medium-strength cipher and only accept the strong TLS v.1.3 cipher.

Steps

NOTE: These instructions were tested on BCM 10.24.11a and Kubernetes 1.29.

The kube-apiserver daemon accepts the “tls-min-version” flag to set the minimum version.

In Base Command Manager, this may be applied using the following commands on the headnode: 

# cmsh
% configurationoverlay
% use kube-default-master
% roles
% use kubelet
% options /etc/kubernetes/manifests/kube-apiserver.yaml set tls-min-version=VersionTLS13
% commit

After a short period, the kube-apiserver service will restart with the new flag.

Confirming the Change

You may confirm the accepted ciphers with the following script.

# cat check-cmd-ssl.sh
#!/bin/bash
server="master:10443"
for v in ssl2 ssl3 tls1 tls1_1 tls1_2 tls1_3; do
 for c in $(openssl ciphers 'ALL:eNULL' | tr ':' ' '); do
 /cm/local/apps/openssl/bin/openssl s_client -connect $server -cipher $c -$v < /dev/null > /dev/null 2>&1 && echo -e "$v:\t$c"
 done
done

Example Output (truncated for brevity):

tls1_3: ECDHE-ECDSA-AES256-GCM-SHA384
tls1_3: ECDHE-RSA-AES256-GCM-SHA384
tls1_3: DHE-DSS-AES256-GCM-SHA384
tls1_3: DHE-RSA-AES256-GCM-SHA384
tls1_3: ECDHE-ECDSA-CHACHA20-POLY1305
tls1_3: ECDHE-RSA-CHACHA20-POLY1305
tls1_3: DHE-RSA-CHACHA20-POLY1305
tls1_3: ECDHE-ECDSA-AES256-CCM8
tls1_3: ECDHE-ECDSA-AES256-CCM
tls1_3: DHE-RSA-AES256-CCM8
tls1_3: DHE-RSA-AES256-CCM
tls1_3: ECDHE-ECDSA-ARIA256-GCM-SHA384
tls1_3: ECDHE-ARIA256-GCM-SHA384
Updated on August 8, 2025

Related Articles