Enforce TLSv1.3-Only Policy on a Production NGINX Deployment
Scenario
Your security team has mandated that all production services must drop
TLSv1.2 and only accept TLSv1.3. An NGINX deployment in the prod-web
namespace is currently configured to accept both versions.
The deployment, TLS secret, and service are already set up. Your only job is to enforce the TLSv1.3-only policy.
Task
The ConfigMap prod-nginx-config in the prod-web namespace currently
has this TLS setting:
ssl_protocols TLSv1.2 TLSv1.3;
Update the ConfigMap so only TLSv1.3 is accepted. Once the ConfigMap
is updated, make sure the running Deployment reflects the updated
configuration — existing pods may not pick it up automatically.
Verify the policy is enforced using these commands:
# Must fail — TLSv1.2 is no longer accepted
curl -vk --tls-max 1.2 https://prod.k8s.local
# Must succeed — TLSv1.3 is the only accepted version
curl -vk --tlsv1.3 https://prod.k8s.local
Please wait 40–50 seconds while the environment is being set up.
Hint 1 — Locate and Update the ConfigMap
The ConfigMap prod-nginx-config in the prod-web namespace contains the
nginx TLS configuration. Find the ssl_protocols directive and update it
to only accept the required version:
kubectl edit configmap prod-nginx-config -n prod-web
Documentation
Hint 2 — Ensure the Running Pods Use the Updated Configuration
Editing a ConfigMap does not automatically update pods that are already running — the nginx containers are still using the old configuration loaded at startup. Trigger a rollout so fresh pods are created and pick up the updated ConfigMap:
kubectl rollout restart deployment -n prod-web
kubectl rollout status deployment -n prod-web
Documentation
Hint 3 — Verify the TLS Policy Is Enforced
After the rollout completes, test both TLS versions to confirm the policy is working correctly:
# Must fail — TLSv1.2 is no longer accepted
curl -vk --tls-max 1.2 https://prod.k8s.local
# Must succeed — TLSv1.3 is the only accepted version
curl -vk --tlsv1.3 https://prod.k8s.local
Look for SSL connection using TLSv1.3 in the successful response and a
handshake failure or connection error in the rejected one.
Documentation