In the absence of any configuration under nginx, k8s the nginx default only supports TLS1.2 , does not support TLS1.0 and TLS1.1
The default nginx-config (some may be called nginx-configuration) is as follows:
apiVersion: v1 data: allow-backend-server-header: 'true' enable-underscores-in-headers: 'true' generate-request-id: 'true' http-redirect-code: '301' ignore-invalid-headers: 'true' max-worker-connections: '65536' proxy-body-size: 20m proxy-connect-timeout: '10' reuse-port: 'true' server-tokens: 'false' ssl-redirect: 'false' worker-cpu-affinity: auto kind: ConfigMap metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: > {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"65536","proxy-body-size":"20m","proxy-connect-timeout":"10","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}} labels: app: ingress-nginx name: nginx-configuration namespace: kube-system selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration
Looked under the official documents, and if needed to support TLS1.0 TLS1.1 need to change under nginx-config at the same time the container can reboot
To provide the most secure baseline configuration possible,
nginx-ingress defaults to using TLS 1.2 only and a secure set of TLS ciphers.
The default configuration, though secure, does not support some older browsers and operating systems. For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May 2018, approximately 15% of Android devices are not compatible with nginx-ingress's default configuration. To change this default behavior, use a ConfigMap. A sample ConfigMap fragment to allow these older clients to connect could look something like the following:
kind: ConfigMap apiVersion: v1 metadata: name: nginx-config data: ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256: AND-DSS-AES128-GCM-SHA256: kadha + AESGCM: ECDHE-RSA-SHA256, AES128, AES128-ECDHE-ECDSA-SHA256: ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES128-SHA: ECDHE-RSA- SHA384, AES256, AES256-ECDHE-ECDSA-SHA384: ECDHE-RSA-AES256-SHA: ECDHE-ECDSA-AES256-SHA: DHE-RSA-AES128-SHA256: DHE-RSA-AES128-SHA: DHE-DSS-AES128- SHA256: DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA: DHE-RSA-AES256-SHA: AES128-GCM-SHA256, AES256-GCM-SHA384, AES128, SHA256, AES256, SHA256, AES128-SHA: AES256-SHA AES: CAMELLIA: DES-CBC3-SHA:! aNULL:! eNULL:! EXPORT:! DES:! RC4:! MD5:! PSK:! aECDH:! EDH-DSS-DES-CBC3-AD :! EDH-RSA-DES-CBC3-SHA:! KRB5-DES-CBC3-SHA " ssl -protocols: " TLSv1 TLSv1.1 TLSv1.2 "
In order to avoid configuration prior to impact, not directly copy the yaml Replacing your configuration! ! !
On your original configuration with ssl-ciphers and ssl-protocols configuration can be
apiVersion: v1 data: allow-backend-server-header: 'true' enable-underscores-in-headers: 'true' generate-request-id: 'true' http-redirect-code: '301' ignore-invalid-headers: 'true' max-worker-connections: '65536' proxy-body-size: 20m proxy-connect-timeout: '10' reuse-port: 'true' server-tokens: 'false' ssl-ciphers: >- ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES256-GCM-SHA384: DHE-RSA-AES128-GCM-SHA256: AND -DSS-AES128-GCM-SHA256: kadha + AESGCM: ECDHE-RSA-SHA256, AES128, AES128-ECDHE-ECDSA-SHA256: ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES128-SHA: ECDHE-RSA-AES256 -SHA384: ECDHE-ECDSA-AES256-SHA384: ECDHE-RSA-AES256-SHA: ECDHE-ECDSA-AES256-SHA: DHE-RSA-AES128-SHA256: DHE-RSA-AES128-SHA: DHE-DSS-AES128-SHA256 : DHE-RSA-AES256-SHA256: DHE-DSS-AES256-SHA: DHE-RSA-AES256-SHA: AES128-GCM-SHA256, AES256-GCM-SHA384, AES128, SHA256, AES256, SHA256, AES128-SHA: AES256 -SHA: AES: CAMELLIA: DES-CBC3-SHA:! aNULL:! eNULL:! EXPORT:! DES:! RC4:! MD5:! PSK:! aECDH:! EDH-DSS-DES-CBC3-SHA:! EDH -RSA-DES-CBC3-SHA:! KRB5-DES-CBC3- SHA SSL -protocols: TLSv1 TLSv1. 1 TLSv1. 2 ssl-redirect: 'false' worker-cpu-affinity: auto kind: ConfigMap metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: > {"apiVersion":"v1","data":{"allow-backend-server-header":"true","enable-underscores-in-headers":"true","generate-request-id":"true","ignore-invalid-headers":"true","max-worker-connections":"65536","proxy-body-size":"20m","proxy-connect-timeout":"10","reuse-port":"true","server-tokens":"false","ssl-redirect":"false","worker-cpu-affinity":"auto"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app":"ingress-nginx"},"name":"nginx-configuration","namespace":"kube-system"}} labels: app: ingress-nginx name: nginx-configuration namespace: kube-system selfLink: /api/v1/namespaces/kube-system/configmaps/nginx-configuration
After configuring it together, we need to restart the container under nginx-ingress
Reference document: https: //kubernetes.github.io/ingress-nginx/user-guide/tls/#legacy-tls