Challenge, Easy,  on  KubernetesSecurity

Enforce TLSv1.3-Only Policy on a Production NGINX Deployment

Scenario

Your security team has mandated that all production services must drop TLSv1.2 and only accept TLSv1.3. An NGINX deployment in the prod-web namespace is currently configured to accept both versions.

The deployment, TLS secret, and service are already set up. Your only job is to enforce the TLSv1.3-only policy.


Task

The ConfigMap prod-nginx-config in the prod-web namespace currently has this TLS setting:

ssl_protocols TLSv1.2 TLSv1.3;

Update the ConfigMap so only TLSv1.3 is accepted. Once the ConfigMap is updated, make sure the running Deployment reflects the updated configuration — existing pods may not pick it up automatically.

Verify the policy is enforced using these commands:

# Must fail — TLSv1.2 is no longer accepted
curl -vk --tls-max 1.2 https://prod.k8s.local

# Must succeed — TLSv1.3 is the only accepted version
curl -vk --tlsv1.3 https://prod.k8s.local

Please wait 40–50 seconds while the environment is being set up.


Hint 1 — Locate and Update the ConfigMap

The ConfigMap prod-nginx-config in the prod-web namespace contains the nginx TLS configuration. Find the ssl_protocols directive and update it to only accept the required version:

kubectl edit configmap prod-nginx-config -n prod-web

Documentation

Hint 2 — Ensure the Running Pods Use the Updated Configuration

Editing a ConfigMap does not automatically update pods that are already running — the nginx containers are still using the old configuration loaded at startup. Trigger a rollout so fresh pods are created and pick up the updated ConfigMap:

kubectl rollout restart deployment -n prod-web
kubectl rollout status deployment -n prod-web

Documentation

Hint 3 — Verify the TLS Policy Is Enforced

After the rollout completes, test both TLS versions to confirm the policy is working correctly:

# Must fail — TLSv1.2 is no longer accepted
curl -vk --tls-max 1.2 https://prod.k8s.local

# Must succeed — TLSv1.3 is the only accepted version
curl -vk --tlsv1.3 https://prod.k8s.local

Look for SSL connection using TLSv1.3 in the successful response and a handshake failure or connection error in the rejected one.

Documentation


⚒ Test Cases