BeastCoding
By Tobias Kriebisch
on

To improve the security of your k3s cluster you might want to set traefiks tls support to allow for tls v1.2 or greater.

This can be achived by deploying a TLSOption to the default namespace with the name default.

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default
  namespace: default
spec:
  minVersion: VersionTLS12  
  cipherSuites:
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  # TLS 1.2
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
    - TLS_AES_256_GCM_SHA384                  # TLS 1.3
    - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
    - TLS_FALLBACK_SCSV                       # TLS FALLBACK

This will give you an A rating on ssllabs.com tecbeast.com SSLLabs Report by the time of writing this post.