Why is this so difficult? disable TLS 1.0 and 1.1 w/ Kubernetes Ingress + Traefik 2.6.3

Ok, burned at least 8+ hours on this so far and loosing my mind:

I simply want to disable TLS 1.0/1.1 globally for traefik. No matter what I do, when running testssl.sh or using any available TLS eval tool, TLS 1.0 and 1.1 is still enabled...

  1. I'm starting traefik 2.6.3 w/ the helm chart on k8s

  2. I've read about every post on the internet about this + the diocs and tried about every combination of ingress annotation...and what seems available in the chart.... this should be much simpler.

Can anyone provide an example of how they have successfully disabled TLS 1.0 and 1.1 on Kubernetes for any Ingress that is deployed including the default when no SNI is provided?

I've tried all the following:

 kubectl get tlsoption default -n traefik -o yaml
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  annotations:
    meta.helm.sh/release-name: traefik-external
    meta.helm.sh/release-namespace: traefik
  creationTimestamp: "2022-06-09T01:41:11Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: traefik-external
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: traefik
    helm.sh/chart: traefik-10.19.4
  name: default
  namespace: traefik
  resourceVersion: "743225"
  uid: edda0817-db65-42df-85d0-140c35c70696
spec:
  minVersion: VersionTLS13

along w/ the following annotation on any Ingress:

traefik.ingress.kubernetes.io/router.tls.options: traefik-default@kubernetescrd

or this variant:

traefik.ingress.kubernetes.io/router.tls.options: default

I've tried settings the following in the helm chart as well

this...

--entrypoints.websecure.http.tls.options=default

or this variant...

--entrypoints.websecure.http.tls.options=traefik-default@kubernetescrd

lost with this...

I configured this using a dynamic configuration file.

I created a ConfigMap with the following content:

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-dynamicconfig
  labels:
    ...
data:
  tls.yml:
    tls:
      options:
        default:
          minVersion: VersionTLS12
          cipherSuites:
            # TLS 1.2 ciphers
            - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
            - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
            # TLS 1.3 ciphers
            - TLS_AES_128_GCM_SHA256
            - TLS_AES_256_GCM_SHA384
            - TLS_CHACHA20_POLY1305_SHA256
      certificates:
        ...

I then did the following in the values.yaml for the Helm chart to mount and read this config:

...
volumes:
  - name: traefik-dynamicconfig
    mountPath: /etc/traefik/dynamic/
    type: configMap
...
additionalArguments:
  ...
  # read dynamic configuration from files in this directory
  - "--providers.file.directory=/etc/traefik/dynamic/"
...

(I also use this to load some default middlewares that I can either use manually on any ingress(route) or that are enabled by default on all routes with additionalArgument "--entryPoints.websecure.http.middlewares=name-of-my-default-middleware@file")

Hope you can find some inspiration here.

Best,
Max

Looking at the documentation your default TLSOption resource should work out-of-the-box without without any configuration in Traefik though:

When using the TLSOption resource in Kubernetes, one might setup a default set of options that, if not explicitly overwritten, should apply to all ingresses.
To achieve that, you'll have to create a TLSOption resource with the name default. There may exist only one TLSOption with the name default (across all namespaces) - otherwise they will be dropped.

Source: Traefik TLS Documentation - Traefik

Are you sure you only have one TLSOption named default across all your namespaces? Maybe that's the issue?

Best,
Max

I just saw, that the Helm chart has the option to set this directly in it:

tlsOptions:
  default:
    minVersion: VersionTLS12
    cipherSuites:
      # TLS 1.1 and 1.2 ciphers
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      # TLS 1.3 ciphers
      - TLS_AES_128_GCM_SHA256
      - TLS_AES_256_GCM_SHA384
      - TLS_CHACHA20_POLY1305_SHA256

Please note. If yo are using cloudflare in front of your traefik server then you need to configure these settings in cloudflare not in traefik. I spent whole day to configure TLSOptions in traefik and realized I was getting B grade because of coludflare configured settings.