How to configure TLS Cipher Suites for Calico in RKE2
Article Number: 000022361
Environment
- A Rancher-provisioned or standalone RKE2 cluster
- Calico CNI >= v3.31.x (RKE2 v1.32 >= v1.32.11+rke2r1, v1.33 >= v1.33.7+rke2r1, v1.34 >= v1.34.3+rke2r1, >= v1.35.0+rke2r1)
Procedure
The default ciphers used by Calico components are defined in the Calico TLS code, but are configurable through the TLS_CIPHER_SUITES environment variable. This environment variable is applied by tigera-operator based on the tlsCipherSuites configuration (available in Calico >= v3.31) defined in the installation object.
This articles details how to define this configuration in both Rancher-provisioned and standalone RKE2 clusters.
Warning: Altering TLS configurations can inadvertently disable modern security features or enable deprecated, insecure protocols. Ensure that any selected ciphers comply with your organization’s security policies and test cipher changes in a non-production environment to ensure you are not introducing security regressions.
The set of suites included in the configuration below is provided purely for example purposes.
RKE2 cluster provisioned by Rancher
In a Rancher-provisioned RKE2 cluster, the configuration is set within Rancher:
- Navigate to Cluster Management within the Rancher UI and click Edit Config for the relevant RKE2 cluster.
- Under Cluster Configuration click the Add-on: Calico tab.
- Add the desired
tlsCipherSuitesdefinition within the existinginstallationblock, per the following example:
[...]
installation:
tlsCipherSuites:
- name: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- name: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- name: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- name: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- name: TLS_AES_128_GCM_SHA256
- name: TLS_AES_256_GCM_SHA384
- name: TLS_CHACHA20_POLY1305_SHA256
[...]
RKE2 standalone cluster
In a standalone RKE2 cluster, the configuration is set via a HelmChartConfig resource.
Create (or modify) /var/lib/rancher/rke2/server/manifests/rke2-calico-config.yaml on server nodes and include the desired tlsCipherSuites, per the following example:
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-calico
namespace: kube-system
spec:
valuesContent: |-
installation:
tlsCipherSuites:
- name: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- name: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- name: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- name: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- name: TLS_AES_128_GCM_SHA256
- name: TLS_AES_256_GCM_SHA384
- name: TLS_CHACHA20_POLY1305_SHA256
Creation of this HelmChartConfig manifest will trigger an update of the rke2-calico chart, with the new values, and consequently the tigera-operator will redeploy Calico components with the TLS ciphers defined.
Verification
Once the Calico workloads have been re-created, you can confirm the change by using nmap or kubectl.
nmap -p 5473 --script ssl-enum-ciphers x.x.x.x ( calico pod ip)
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-09 23:13 UTC
Nmap scan report for hostname-xyz(x.x.x.x)
Host is up (0.00011s latency).
PORT STATE SERVICE
5473/tcp open apsolab-tags
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
Or check the TLS_CIPHER_SUITES environment variable defined in the Calico Pods. For example, for Calico Typha:
kubectl get pods -n calico-system -l k8s-app=calico-typha -o jsonpath='{.items[0].spec.containers[0].env}' | jq | grep -i TLS
"name": "TLS_CIPHER_SUITES",
"value": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256"