From 3847f9cf13c63f4829eebb7a81d461319ddc9261 Mon Sep 17 00:00:00 2001 From: Scott Fleener Date: Thu, 19 Dec 2024 09:19:09 -0500 Subject: [PATCH] Set minimum TLS version to 1.3 (#13500) This helps ensure a minimum level of security. The two places this affects is our controller webhook and linkerd-viz tap API. The controller requires that kube-api supports TLSv1.3, which it does as of 1.19 (our minimum is currently 1.22). The linkerd-viz tap API is mostly used internally, and is deprecated. It may be worth revisiting if we want to keep it around at all. Signed-off-by: Scott Fleener --- controller/webhook/server.go | 2 +- controller/webhook/server_test.go | 2 +- viz/tap/api/server.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/controller/webhook/server.go b/controller/webhook/server.go index 664d1d1ea1325..8263e92f9be4e 100644 --- a/controller/webhook/server.go +++ b/controller/webhook/server.go @@ -65,7 +65,7 @@ func NewServer( Addr: addr, ReadHeaderTimeout: 15 * time.Second, TLSConfig: &tls.Config{ - MinVersion: tls.VersionTLS12, + MinVersion: tls.VersionTLS13, }, } diff --git a/controller/webhook/server_test.go b/controller/webhook/server_test.go index 977206c616ccf..375f1257a5a57 100644 --- a/controller/webhook/server_test.go +++ b/controller/webhook/server_test.go @@ -18,7 +18,7 @@ var mockHTTPServer = &http.Server{ Addr: ":0", ReadHeaderTimeout: 15 * time.Second, TLSConfig: &tls.Config{ - MinVersion: tls.VersionTLS12, + MinVersion: tls.VersionTLS13, }, } diff --git a/viz/tap/api/server.go b/viz/tap/api/server.go index 42b2113c21af5..0a04b42d5f1e0 100644 --- a/viz/tap/api/server.go +++ b/viz/tap/api/server.go @@ -74,7 +74,7 @@ func NewServer( TLSConfig: &tls.Config{ ClientAuth: tls.VerifyClientCertIfGiven, ClientCAs: clientCertPool, - MinVersion: tls.VersionTLS12, + MinVersion: tls.VersionTLS13, }, }