How do I enable TLS 1.2 only in traefik proxy

Hi everybody,

I recently installed a k3s v1.21.0+k3s1 cluster with the default traefik proxy. I updated the default certificates, which work like a charm.

My network security policies require me to disable the tls versions 1.0 and 1.1 so I’m trying to set the tls minversion to “VersionTLS12”. Like adviced in the traefik docs #minimum-tls-version I edited the config map but without success. The versions 1.0 and 1.1 are still served.

The way I check the availible tls version is
nmap --script ssl-enum-ciphers -p 443 <traefik-host.example.com>.

Are you able to drop a hint on me to what my mistake is? Why doesn’t the router respect the minversion?

Configmap.yml

kind: ConfigMap
apiVersion: v1
metadata:
  name: traefik
  namespace: kube-system
  labels:
    app: traefik
    app.kubernetes.io/managed-by: Helm
    chart: traefik-1.81.0
    heritage: Helm
    release: traefik
  annotations:
    meta.helm.sh/release-name: traefik
    meta.helm.sh/release-namespace: kube-system
data:
  traefik.toml: |
    # traefik.toml
    logLevel = "info"
    defaultEntryPoints = ["http", "https"]
    [tls]
      [tls.options]
        [tls.options.default]
        minVersion = "VersionTLS12"
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
        minVersion = "VersionTLS12"
      [entryPoints.prometheus]
      address = ":9100"
    [ping]
    entryPoint = "http"
    [kubernetes]
      [kubernetes.ingressEndpoint]
      publishedService = "kube-system/traefik"
    [traefikLog]
      format = "json"
    [metrics]
      [metrics.prometheus]
        entryPoint = "prometheus"

Deployment.yml

kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik
  namespace: kube-systemZ
  labels:
    app: traefik
    app.kubernetes.io/managed-by: Helm
    chart: traefik-1.81.0
    heritage: Helm
    release: traefik
  annotations:
    deployment.kubernetes.io/revision: "3"
    meta.helm.sh/release-name: traefik
    meta.helm.sh/release-namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
      release: traefik
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: traefik
        chart: traefik-1.81.0
        heritage: Helm
        release: traefik
      annotations:
        checksum/config: 160e687e8146d38bb3af5be4fd2fc17a2f4bddb909238f10a72b8755675478de
    spec:
      volumes:
        - name: config
          configMap:
            name: traefik
            defaultMode: 420
        - name: ssl
          secret:
            secretName: traefik-default-cert
            defaultMode: 420
      containers:
        - name: traefik
          image: rancher/library-traefik:1.7.19
          args:
            - --configfile=/config/traefik.toml
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: httpn
              containerPort: 8880
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
            - name: dash
              containerPort: 8080
              protocol: TCP
            - name: metrics
              containerPort: 9100
              protocol: TCP
          resources: {}
          volumeMounts:
            - name: config
              mountPath: /config
            - name: ssl
              mountPath: /ssl
...