"Information from Alan:
recently openshift introduced a cluster-wide ""TLS profile"" giving preferred TLS config (allowed encryption algorithms etc.) for anything running in the cluster.

We implemented it in the CLO, so we respect the cluster-wide profile if there is one, I think we also allow setting your own profile on the CLO. There's an epic with lnked stuff here: https://issues.redhat.com/browse/LOG-3270 also the OCP docs have some description of the global profile - it affects many things besides logging e.g. the API server and other ""infrastructure"" stufff.

Note the global TLS profile only affects things that choose to obey it - so openshift services, logging etc. It can't impose its will on random other services that a customer might run in the cluster."