diff --git a/pkg/crdconversion/crdconversion.go b/pkg/crdconversion/crdconversion.go
index 43cb2603b2..acec64b0c4 100644
--- a/pkg/crdconversion/crdconversion.go
+++ b/pkg/crdconversion/crdconversion.go
@@ -114,6 +114,7 @@ func (crdWh *crdConversionWebhook) run(stop <-chan struct{}) {
 		// #nosec G402
 		webhookServer.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS13,
 		}
 
 		if err := webhookServer.ListenAndServeTLS("", ""); err != nil {
diff --git a/pkg/health/health.go b/pkg/health/health.go
index 0e055f9976..e467a12998 100644
--- a/pkg/health/health.go
+++ b/pkg/health/health.go
@@ -48,7 +48,10 @@ func (httpProbe HTTPProbe) Probe() (int, error) {
 		// similar to how k8s api server handles HTTPS probes.
 		// #nosec G402
 		transport := &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+				MinVersion:         tls.VersionTLS13,
+			},
 		}
 		client.Transport = transport
 	}
diff --git a/pkg/injector/webhook.go b/pkg/injector/webhook.go
index eaf78d9dc4..1ef3e1f0db 100644
--- a/pkg/injector/webhook.go
+++ b/pkg/injector/webhook.go
@@ -126,6 +126,7 @@ func (wh *mutatingWebhook) run(stop <-chan struct{}) {
 		// #nosec G402
 		server.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS13,
 		}
 
 		if err := server.ListenAndServeTLS("", ""); err != nil {
diff --git a/pkg/utils/mtls.go b/pkg/utils/mtls.go
index 550e679935..fefe1b0695 100644
--- a/pkg/utils/mtls.go
+++ b/pkg/utils/mtls.go
@@ -35,6 +35,7 @@ func setupMutualTLS(insecure bool, serverName string, certPem []byte, keyPem []b
 		ClientAuth:         tls.RequireAndVerifyClientCert,
 		Certificates:       []tls.Certificate{certif},
 		ClientCAs:          certPool,
+		MinVersion:         tls.VersionTLS13,
 	}
 	return grpc.Creds(credentials.NewTLS(&tlsConfig)), nil
 }
diff --git a/pkg/validator/server.go b/pkg/validator/server.go
index 425f5f2de9..8c8b4f16dc 100644
--- a/pkg/validator/server.go
+++ b/pkg/validator/server.go
@@ -178,6 +178,7 @@ func (s *validatingWebhookServer) run(port int, certificater certificate.Certifi
 		// #nosec G402
 		server.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS13,
 		}
 
 		if err := server.ListenAndServeTLS("", ""); err != nil {