All three pod identity webhooks and the kube-rbac-proxy pods are using default TLS configuration, which is controlled by the built-in golang crypto/tls package. In order to be prepared for Post-Quantum Cryptography (PQC), they need to be configured to use the same TLS configuration as the apiserver. This will enable the user to set the desired TLS configuration on the apiserver and have the CCO pods assume that configuration.

• aws pod-identity-webhook gains and implements the tls-min-version parameter
• aws pod-identity-webhook gains and implements the tls-cipher-suites parameter
• azure pod-identity-webhook gains and implements the tls-min-version parameter
• azure pod-identity-webhook gains and implements the tls-cipher-suites parameter
• gcp pod-identity-webhook gains and implements the tls-min-version parameter
• gcp pod-identity-webhook gains and implements the tls-cipher-suites parameter
• CCO operator maintains the tls-min-version and tls-cipher-suites parameters as per the apiserver configuration
  • kube-rbac-proxy
  • aws pod-identity-webhook
  • azure pod-identity-webhook
  • gcp pod-identity-webhook

Note: Need to further explore if there is work for the following goal from the OUTCOME

• Core OCP components are rebuilding using PQC-enabled key encapsulation (ML-KEM) go/crypto17.