Overview
By default, the Traefik instance in DKP 2.x is configured to accept TLS 1.1 connections for all ingresses that are configured to use TLS.
However, some organizations have security policies that discourage the use of TLS 1.1. It is possible to configure Traefik to only accept TLS 1.2 connections, as well as to configure the accepted cipherSuites, etc.
Solution
You can configure the Minimum TLS version accepted by Traefik on all ingresses by creating the following default TLSOption resource:
traefik_min_tls.yaml:
apiVersion: traefik.containo.us/v1alpha1 kind: TLSOption metadata: name: default namespace: kommander spec: minVersion: VersionTLS12
Then apply the TLSOption to the cluster as follows:
kubectl apply -f traefik_min_tls.yaml
Using the same mechanism, it is possible to configure the cipherSuites that are accepted and other parameters of TLS connections.
See the Traefik documentation for more information.