This article provides steps to update the tls-min-version configuration for kube-api-server on a running workload cluster, applicable to both legacy and plan-based clusters.

Important Note: This workaround will not persist through VM recreation. To permanently configure API server arguments, use the APISERVER_EXTRA_ARGS variable for classy clusters or ytt for legacy clusters in the configuration file when deploying the workload cluster.

Useful links: 

Class based configuration file reference: https://docs.vmware.com/en/VMware-Tanzu-Kubernetes-Grid/2.5/tkg-deploy-mc/config-ref.html

Configuration File to Cluster Class Variable Translations: https://docs.vmware.com/en/VMware-Tanzu-Kubernetes-Grid/2.5/using-tkg/workload-clusters-legacy-cc.html

Legacy cluster configuration with ytt: https://docs.vmware.com/en/VMware-Tanzu-Kubernetes-Grid/2.5/using-tkg/workload-clusters-ytt.html

STIG hardening for TKG clusters: https://docs.vmware.com/en/VMware-Tanzu-Compliance/2.2/tkg-compliance/stig-harden.html

For class based clusters: 

1. Switch context to your management cluster and list cluster objects. Edit the cluster object corresponding to the cluster you would like to modify.

kubectl config use-context mgmt-cluster-admin@mgmt-cluster
Switched to context "mgmt-cluster-admin@mgmt-cluster".

ubuntu@jumpbox:$ kubectl get cluster
NAME PHASE AGE VERSION
cc1 Provisioned 93m v1.28.7+vmware.1
cc2 Provisioned 32m v1.28.7+vmware.1
workload-cluster Provisioned 45h

ubuntu@jumpbox:$ kubectl edit cluster cc2

2. Search for "apiServerExtraArgs". If the value exists in the cluster object, you can update it to reflect the desired minimum version. If the value does not exist anywhere in the file, you can add it under "spec:tolopogy:variables":

name: apiServerExtraArgs
value:
tls-min-version: VersionTLS12

3. Save changes and the cluster control plane nodes should redeploy with the new configuration

For legacy clusters:

1. For a legacy cluster, you can simply update the KCP for the workload cluster in question:

kubectl get kcp
kubectl edit kcp workload-cluster-control-plane 

spec:
  kubeadmConfigSpec:
    clusterConfiguration:
      apiServer:
        extraArgs:
          admission-control-config-file: /etc/kubernetes/kube-apiserver-admission-pss.yaml
          cloud-provider: external
          tls-cipher-suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          tls-min-version: VersionTLS12

Once saved, control plane nodes will be recreated with the updated configuration.