How can I disable TLS 1.0 and TLS 1.1 from an ingress resource definition using annotations? For example I already have the following annotations on an example ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-cluster
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: le
...
Hi @nodesocket,
Thanks for your interest in Traefik.
On TLS, you can specify several options to support different cipher suites or to accept only some versions. In k8s you have to add an annotation on your ingress, and create a resource defining the TLS options. I suggest you to have a look to this documentation: Traefik TLS Documentation - Traefik.
@moutoum if I create the global Kubernetes resource:
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
minVersion: VersionTLS12
I assume I need to re-install Traefik with the helm chart after? Does the above Kubernetes resource apply to ALL ingress endpoints in the cluster? Is there a way to pick and choose which ingress endpoints the above minVersion
applies to?
@nodesocket When you create a TLSOption, you have then to apply it using kubectl apply -f <your-file>
.
Then you have to link the TLS option to an ingress. You can do this by adding an annotation on your ingress and apply your ingress aswell:
traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd
With this, only the ingresses using the option are affected by the minVersion
. You don't need to restart traefik as ingresses are part of the dynamic config which is computed on the fly based on the kubernetes events.
1 Like