chore(tlsversion): Add a tls minimum version for webhooks

pkg/crdconversion/crdconversion.go

@@ -114,6 +114,7 @@ func (crdWh *crdConversionWebhook) run(stop <-chan struct{}) {
 		// #nosec G402
 		webhookServer.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS13,
 		}
 
 		if err := webhookServer.ListenAndServeTLS("", ""); err != nil {

pkg/health/health.go

@@ -48,7 +48,10 @@ func (httpProbe HTTPProbe) Probe() (int, error) {
 		// similar to how k8s api server handles HTTPS probes.
 		// #nosec G402
 		transport := &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+				MinVersion:         tls.VersionTLS13,
+			},
 		}
 		client.Transport = transport
 	}

pkg/injector/webhook.go

@@ -126,6 +126,7 @@ func (wh *mutatingWebhook) run(stop <-chan struct{}) {
 		// #nosec G402
 		server.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS13,
 		}
 
 		if err := server.ListenAndServeTLS("", ""); err != nil {

pkg/utils/mtls.go

@@ -35,6 +35,7 @@ func setupMutualTLS(insecure bool, serverName string, certPem []byte, keyPem []b
 		ClientAuth:         tls.RequireAndVerifyClientCert,
 		Certificates:       []tls.Certificate{certif},
 		ClientCAs:          certPool,
+		MinVersion:         tls.VersionTLS13,
 	}
 	return grpc.Creds(credentials.NewTLS(&tlsConfig)), nil
 }

pkg/validator/server.go

@@ -178,6 +178,7 @@ func (s *validatingWebhookServer) run(port int, certificater certificate.Certifi
 		// #nosec G402
 		server.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			MinVersion:   tls.VersionTLS13,
 		}
 
 		if err := server.ListenAndServeTLS("", ""); err != nil {