How do I enable TLS 1.2 only in traefik proxy

k3s, k3OS, and k3d
1

Hi everybody,

I recently installed a k3s v1.21.0+k3s1 cluster with the default traefik proxy. I updated the default certificates, which work like a charm.

My network security policies require me to disable the tls versions 1.0 and 1.1 so I’m trying to set the tls minversion to “VersionTLS12”. Like adviced in the traefik docs #minimum-tls-version I edited the config map but without success. The versions 1.0 and 1.1 are still served.

The way I check the availible tls version is
nmap --script ssl-enum-ciphers -p 443 <traefik-host.example.com>.

Are you able to drop a hint on me to what my mistake is? Why doesn’t the router respect the minversion?

Configmap.yml

kind: ConfigMap
apiVersion: v1
metadata:
  name: traefik
  namespace: kube-system
  labels:
    app: traefik
    app.kubernetes.io/managed-by: Helm
    chart: traefik-1.81.0
    heritage: Helm
    release: traefik
  annotations:
    meta.helm.sh/release-name: traefik
    meta.helm.sh/release-namespace: kube-system
data:
  traefik.toml: |
    # traefik.toml
    logLevel = "info"
    defaultEntryPoints = ["http", "https"]
    [tls]
      [tls.options]
        [tls.options.default]
        minVersion = "VersionTLS12"
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
        minVersion = "VersionTLS12"
      [entryPoints.prometheus]
      address = ":9100"
    [ping]
    entryPoint = "http"
    [kubernetes]
      [kubernetes.ingressEndpoint]
      publishedService = "kube-system/traefik"
    [traefikLog]
      format = "json"
    [metrics]
      [metrics.prometheus]
        entryPoint = "prometheus"

Deployment.yml

kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik
  namespace: kube-systemZ
  labels:
    app: traefik
    app.kubernetes.io/managed-by: Helm
    chart: traefik-1.81.0
    heritage: Helm
    release: traefik
  annotations:
    deployment.kubernetes.io/revision: "3"
    meta.helm.sh/release-name: traefik
    meta.helm.sh/release-namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
      release: traefik
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: traefik
        chart: traefik-1.81.0
        heritage: Helm
        release: traefik
      annotations:
        checksum/config: 160e687e8146d38bb3af5be4fd2fc17a2f4bddb909238f10a72b8755675478de
    spec:
      volumes:
        - name: config
          configMap:
            name: traefik
            defaultMode: 420
        - name: ssl
          secret:
            secretName: traefik-default-cert
            defaultMode: 420
      containers:
        - name: traefik
          image: rancher/library-traefik:1.7.19
          args:
            - --configfile=/config/traefik.toml
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: httpn
              containerPort: 8880
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
            - name: dash
              containerPort: 8080
              protocol: TCP
            - name: metrics
              containerPort: 9100
              protocol: TCP
          resources: {}
          volumeMounts:
            - name: config
              mountPath: /config
            - name: ssl
              mountPath: /ssl
...
2

Hey! Did you get the answer to your question?.

I’m trying to “fix” the same thing…

Thanks!

3

I’m also looking how to disable TLS 1.0 and 1.1 via ingress annotations if possible.

4

I can’t say with absolute certainty, but this seems like the sort of thing that’d be part of the ingress controller and you’d need to look at the docs for the ingress controller you’re using in terms of how to disable.

5

Did you delete your traefik pod after altering the config?
Also did you cange the manifests in the /var/lib/rancher/k3s/server/manifests directory?