-
Story
-
Resolution: Done
-
Major
-
None
-
None
-
None
Summary
The knative.dev/pkg/webhook package currently does not expose the tlsConfig field (webhook.go#L141), preventing downstream platforms from dynamically configuring TLS settings beyond the basic WEBHOOK_TLS_MIN_VERSION environment variable. This limitation blocks integration with centralized TLS policy management systems required for enterprise Kubernetes distributions.
Motivation
Modern Kubernetes platforms increasingly require centralized TLS policy management to:
- Prepare for Post-Quantum Cryptography (PQC) transitions requiring TLS 1.3+ and specific cipher suites
- Comply with organizational security policies that mandate specific cipher configurations
- Support custom TLS profiles beyond simple version selection (e.g., FIPS mode, industry-specific compliance)
- Enable dynamic security policy updates without rebuilding/redeploying components
Current Limitations
https://github.com/knative/pkg/blob/main/webhook/webhook.go#L141
`tlsConfig: &tls.Config{
MinVersion: tlsMinVersion, // Only configurable via env var
// No cipher suite configuration
// No way to inject custom tls.Config
},
The existing implementation is missing:
- Cipher suite configuration
- Support for custom TLS profiles (Old/Intermediate/Modern/Custom as defined in Mozilla's SSL Configuration Generator)`
Proposed Solution:
Add TLSConfig functional option
`// webhook.go type Options struct { // ... existing fields ... // TLSConfig allows customization of the webhook server's TLS configuration. // If nil, a default configuration with MinVersion from WEBHOOK_TLS_MIN_VERSION is used. // When provided, this completely overrides the default TLS configuration. TLSConfig *tls.Config }`
- blocks
-
-
- To Do
-
-
-
- To Do
-
-
-
- To Do
-
-
-
- To Do
-
-
-
- To Do
-