Allow TLS minimum version to be configured

Some environments have automated security scans that trigger
on TLS versions or insecure cipher suites. Setting TLS to 1.3
would solve both problems (setting to 1.2 only solves the former
as the default 1.2 cipher suites are insecure).

Default TLS minimum version of 1.0 remains.

Fixes kubernetes-sigs#1431

pkg/webhook/server.go

@@ -70,13 +70,21 @@ type Server struct {
 	// Defaults to "", which means server does not verify client's certificate.
 	ClientCAName string
 
+	// TLSVersion is the minimum version of TLS supported. Accepts
+	// "1.1", "1.2" and "1.3" - anything else will result in "1.0"
+	TLSMinVersion string
+
 	// WebhookMux is the multiplexer that handles different webhooks.
 	WebhookMux *http.ServeMux
 
 	// webhooks keep track of all registered webhooks for dependency injection,
 	// and to provide better panic messages on duplicate webhook registration.
 	webhooks map[string]http.Handler
 
+	// tlsMinVersion is the result of the conversion from human-readable TLS version (for example "1.1")
+	// to the values accepted by tls.Config (for example 0x301)
+	tlsMinVersion uint16
+
 	// setFields allows injecting dependencies from an external source
 	setFields inject.Func
 
@@ -109,6 +117,17 @@ func (s *Server) setDefaults() {
 	if len(s.KeyName) == 0 {
 		s.KeyName = "tls.key"
 	}
+
+	switch s.TLSMinVersion {
+	case "1.1":
+		s.tlsMinVersion = tls.VersionTLS11
+	case "1.2":
+		s.tlsMinVersion = tls.VersionTLS12
+	case "1.3":
+		s.tlsMinVersion = tls.VersionTLS13
+	default:
+		s.tlsMinVersion = tls.VersionTLS10
+	}
 }
 
 // NeedLeaderElection implements the LeaderElectionRunnable interface, which indicates
@@ -200,6 +219,7 @@ func (s *Server) Start(ctx context.Context) error {
 	cfg := &tls.Config{
 		NextProtos:     []string{"h2"},
 		GetCertificate: certWatcher.GetCertificate,
+		MinVersion:     s.tlsMinVersion,
 	}
 
 	// load CA to verify client certificate