diff --git a/bootstrap/kubeadm/main.go b/bootstrap/kubeadm/main.go
index a4d1a335cda0..b1fddf59ca75 100644
--- a/bootstrap/kubeadm/main.go
+++ b/bootstrap/kubeadm/main.go
@@ -19,12 +19,14 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"math/rand"
 	"net/http"
 	_ "net/http/pprof"
 	"os"
+	"strings"
 	"time"
 
 	// +kubebuilder:scaffold:imports
@@ -85,6 +87,8 @@ var (
 	webhookCertDir              string
 	healthAddr                  string
 	tokenTTL                    time.Duration
+	tlsMinVersion               string
+	tlsCipherSuites             string
 	logOptions                  = logs.NewOptions()
 )
 
@@ -135,6 +139,16 @@ func InitFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&healthAddr, "health-addr", ":9440",
 		"The address the health endpoint binds to.")
 
+	flag.StringVar(&tlsMinVersion, "tls-min-version", "VersionTLS12",
+		"The minimum TLS version in use by the webhook server.\n"+
+			fmt.Sprintf("Possible values are %s.", strings.Join(cliflag.TLSPossibleVersions(), ", ")),
+	)
+
+	flag.StringVar(&tlsCipherSuites, "tls-cipher-suites", "",
+		"Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.\n"+
+			fmt.Sprintf("Possible values are %s.", strings.Join(cliflag.TLSCipherPossibleValues(), ", ")),
+	)
+
 	feature.MutableGates.AddFlag(fs)
 }
 
@@ -193,6 +207,7 @@ func main() {
 	ctx := ctrl.SetupSignalHandler()
 
 	setupChecks(mgr)
+	setupWebhookTLSConfigs(mgr, tlsMinVersion, tlsCipherSuites)
 	setupWebhooks(mgr)
 	setupReconcilers(ctx, mgr)
 
@@ -216,6 +231,30 @@ func setupChecks(mgr ctrl.Manager) {
 	}
 }
 
+func setupWebhookTLSConfigs(mgr ctrl.Manager, tlsMinVersion, tlsCipherSuites string) {
+	tlsVersion, err := cliflag.TLSVersion(tlsMinVersion)
+	if err != nil {
+		setupLog.Error(err, "unable to set TLS min version")
+		os.Exit(1)
+	}
+	mgr.GetWebhookServer().TLSOpts = append(mgr.GetWebhookServer().TLSOpts, func(cfg *tls.Config) {
+		cfg.MinVersion = tlsVersion
+	})
+
+	if tlsCipherSuites != "" {
+		cipherSuites := strings.Split(tlsCipherSuites, ",")
+		suites, err := cliflag.TLSCipherSuites(cipherSuites)
+		if err != nil {
+			setupLog.Error(err, "unable to set TLS Cipher suites")
+			os.Exit(1)
+		}
+
+		mgr.GetWebhookServer().TLSOpts = append(mgr.GetWebhookServer().TLSOpts, func(cfg *tls.Config) {
+			cfg.CipherSuites = suites
+		})
+	}
+}
+
 func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
 	if err := (&kubeadmbootstrapcontrollers.KubeadmConfigReconciler{
 		Client:           mgr.GetClient(),
diff --git a/controlplane/kubeadm/main.go b/controlplane/kubeadm/main.go
index f1db2975efa2..77f82d1f19dc 100644
--- a/controlplane/kubeadm/main.go
+++ b/controlplane/kubeadm/main.go
@@ -19,12 +19,14 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"math/rand"
 	"net/http"
 	_ "net/http/pprof"
 	"os"
+	"strings"
 	"time"
 
 	// +kubebuilder:scaffold:imports
@@ -89,6 +91,8 @@ var (
 	webhookCertDir                 string
 	healthAddr                     string
 	etcdDialTimeout                time.Duration
+	tlsMinVersion                  string
+	tlsCipherSuites                string
 	logOptions                     = logs.NewOptions()
 )
 
@@ -139,6 +143,16 @@ func InitFlags(fs *pflag.FlagSet) {
 	fs.DurationVar(&etcdDialTimeout, "etcd-dial-timeout-duration", 10*time.Second,
 		"Duration that the etcd client waits at most to establish a connection with etcd")
 
+	flag.StringVar(&tlsMinVersion, "tls-min-version", "VersionTLS12",
+		"The minimum TLS version in use by the webhook server.\n"+
+			fmt.Sprintf("Possible values are %s.", strings.Join(cliflag.TLSPossibleVersions(), ", ")),
+	)
+
+	flag.StringVar(&tlsCipherSuites, "tls-cipher-suites", "",
+		"Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.\n"+
+			fmt.Sprintf("Possible values are %s.", strings.Join(cliflag.TLSCipherPossibleValues(), ", ")),
+	)
+
 	feature.MutableGates.AddFlag(fs)
 }
 func main() {
@@ -197,6 +211,7 @@ func main() {
 	ctx := ctrl.SetupSignalHandler()
 
 	setupChecks(mgr)
+	setupWebhookTLSConfigs(mgr, tlsMinVersion, tlsCipherSuites)
 	setupReconcilers(ctx, mgr)
 	setupWebhooks(mgr)
 
@@ -220,6 +235,30 @@ func setupChecks(mgr ctrl.Manager) {
 	}
 }
 
+func setupWebhookTLSConfigs(mgr ctrl.Manager, tlsMinVersion, tlsCipherSuites string) {
+	tlsVersion, err := cliflag.TLSVersion(tlsMinVersion)
+	if err != nil {
+		setupLog.Error(err, "unable to set TLS min version")
+		os.Exit(1)
+	}
+	mgr.GetWebhookServer().TLSOpts = append(mgr.GetWebhookServer().TLSOpts, func(cfg *tls.Config) {
+		cfg.MinVersion = tlsVersion
+	})
+
+	if tlsCipherSuites != "" {
+		cipherSuites := strings.Split(tlsCipherSuites, ",")
+		suites, err := cliflag.TLSCipherSuites(cipherSuites)
+		if err != nil {
+			setupLog.Error(err, "unable to set TLS Cipher suites")
+			os.Exit(1)
+		}
+
+		mgr.GetWebhookServer().TLSOpts = append(mgr.GetWebhookServer().TLSOpts, func(cfg *tls.Config) {
+			cfg.CipherSuites = suites
+		})
+	}
+}
+
 func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
 	// Set up a ClusterCacheTracker to provide to controllers
 	// requiring a connection to a remote cluster
diff --git a/main.go b/main.go
index 6b6ccf537d93..c38ca6502ce1 100644
--- a/main.go
+++ b/main.go
@@ -19,12 +19,14 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"math/rand"
 	"net/http"
 	_ "net/http/pprof"
 	"os"
+	"strings"
 	"time"
 
 	// +kubebuilder:scaffold:imports
@@ -99,6 +101,8 @@ var (
 	webhookPort                   int
 	webhookCertDir                string
 	healthAddr                    string
+	tlsMinVersion                 string
+	tlsCipherSuites               string
 	logOptions                    = logs.NewOptions()
 )
 
@@ -198,6 +202,16 @@ func InitFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&healthAddr, "health-addr", ":9440",
 		"The address the health endpoint binds to.")
 
+	flag.StringVar(&tlsMinVersion, "tls-min-version", "VersionTLS12",
+		"The minimum TLS version in use by the webhook server.\n"+
+			fmt.Sprintf("Possible values are %s.", strings.Join(cliflag.TLSPossibleVersions(), ", ")),
+	)
+
+	flag.StringVar(&tlsCipherSuites, "tls-cipher-suites", "",
+		"Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.\n"+
+			fmt.Sprintf("Possible values are %s.", strings.Join(cliflag.TLSCipherPossibleValues(), ", ")),
+	)
+
 	feature.MutableGates.AddFlag(fs)
 }
 
@@ -269,6 +283,7 @@ func main() {
 
 	setupChecks(mgr)
 	setupIndexes(ctx, mgr)
+	setupWebhookTLSConfigs(mgr, tlsMinVersion, tlsCipherSuites)
 	setupReconcilers(ctx, mgr)
 	setupWebhooks(mgr)
 
@@ -299,6 +314,30 @@ func setupIndexes(ctx context.Context, mgr ctrl.Manager) {
 	}
 }
 
+func setupWebhookTLSConfigs(mgr ctrl.Manager, tlsMinVersion, tlsCipherSuites string) {
+	tlsVersion, err := cliflag.TLSVersion(tlsMinVersion)
+	if err != nil {
+		setupLog.Error(err, "unable to set TLS min version")
+		os.Exit(1)
+	}
+	mgr.GetWebhookServer().TLSOpts = append(mgr.GetWebhookServer().TLSOpts, func(cfg *tls.Config) {
+		cfg.MinVersion = tlsVersion
+	})
+
+	if tlsCipherSuites != "" {
+		cipherSuites := strings.Split(tlsCipherSuites, ",")
+		suites, err := cliflag.TLSCipherSuites(cipherSuites)
+		if err != nil {
+			setupLog.Error(err, "unable to set TLS Cipher suites")
+			os.Exit(1)
+		}
+
+		mgr.GetWebhookServer().TLSOpts = append(mgr.GetWebhookServer().TLSOpts, func(cfg *tls.Config) {
+			cfg.CipherSuites = suites
+		})
+	}
+}
+
 func setupReconcilers(ctx context.Context, mgr ctrl.Manager) {
 	// Set up a ClusterCacheTracker and ClusterCacheReconciler to provide to controllers
 	// requiring a connection to a remote cluster