Disable TLS 1.0/1.1 via ingress annotations

How can I disable TLS 1.0 and TLS 1.1 from an ingress resource definition using annotations? For example I already have the following annotations on an example ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
  name: example-cluster
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.tls.certresolver: le


Hi @nodesocket,
Thanks for your interest in Traefik.

On TLS, you can specify several options to support different cipher suites or to accept only some versions. In k8s you have to add an annotation on your ingress, and create a resource defining the TLS options. I suggest you to have a look to this documentation: Traefik TLS Documentation - Traefik.

@moutoum if I create the global Kubernetes resource:

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
  name: default
  namespace: default

  minVersion: VersionTLS12

I assume I need to re-install Traefik with the helm chart after? Does the above Kubernetes resource apply to ALL ingress endpoints in the cluster? Is there a way to pick and choose which ingress endpoints the above minVersion applies to?

@nodesocket When you create a TLSOption, you have then to apply it using kubectl apply -f <your-file>.
Then you have to link the TLS option to an ingress. You can do this by adding an annotation on your ingress and apply your ingress aswell:

traefik.ingress.kubernetes.io/router.tls.options: <resource-namespace>-<resource-name>@kubernetescrd

With this, only the ingresses using the option are affected by the minVersion. You don't need to restart traefik as ingresses are part of the dynamic config which is computed on the fly based on the kubernetes events.

1 Like