openshift · richardsonnick · Feb 3, 2026 · Feb 3, 2026
diff --git a/config/v1/types_apiserver.go b/config/v1/types_apiserver.go
@@ -62,6 +62,30 @@ type APIServerSpec struct {
 	// The current default is the Intermediate profile.
 	// +optional
 	TLSSecurityProfile *TLSSecurityProfile `json:"tlsSecurityProfile,omitempty"`
+	// tlsAdherence controls which components in the cluster adhere to the TLS security profile
+	// configured on this APIServer resource.
+	//
+	// Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+	//
+	// When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+	// API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+	// TLS profile. Other components continue to use their individual TLS configurations.
+	//
+	// When set to "StrictAllComponents", all components must honor the configured TLS profile.
+	// This mode is recommended for security-conscious deployments and is required for
+	// certain compliance frameworks.
+	//
+	// Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+	// as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+	// IngressController CRs respectively.
+	//
+	// Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+	// and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+	//
+	// When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+	// +openshift:enable:FeatureGate=TLSAdherence
+	// +optional
+	TLSAdherence TLSAdherencePolicy `json:"tlsAdherence,omitempty"`
 	// audit specifies the settings for audit configuration to be applied to all OpenShift-provided
 	// API servers in the cluster.
 	// +optional
@@ -237,6 +261,23 @@ const (
 type APIServerStatus struct {
 }
 
+// TLSAdherencePolicy defines which components adhere to the TLS security profile.
+// +kubebuilder:validation:Enum=LegacyExternalAPIServerComponentsOnly;StrictAllComponents
+type TLSAdherencePolicy string
+
+const (
+	// TLSAdherenceLegacyExternalAPIServerComponentsOnly means only the externally exposed
+	// API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor
+	// the configured TLS profile. Other components continue to use their individual TLS
+	// configurations.
+	TLSAdherenceLegacyExternalAPIServerComponentsOnly TLSAdherencePolicy = "LegacyExternalAPIServerComponentsOnly"
+
+	// TLSAdherenceStrictAllComponents means all components must honor the configured TLS
+	// profile. This mode is recommended for security-conscious deployments and is required
+	// for certain compliance frameworks.
+	TLSAdherenceStrictAllComponents TLSAdherencePolicy = "StrictAllComponents"
+)
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

diff --git a/...zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml b/...zz_generated.crd-manifests/0000_10_config-operator_01_apiservers-CustomNoUpgrade.crd.yaml
@@ -292,6 +292,33 @@ spec:
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object
+              tlsAdherence:
+                description: |-
+                  tlsAdherence controls which components in the cluster adhere to the TLS security profile
+                  configured on this APIServer resource.
+
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+                  When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+                  API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+                  TLS profile. Other components continue to use their individual TLS configurations.
+
+                  When set to "StrictAllComponents", all components must honor the configured TLS profile.
+                  This mode is recommended for security-conscious deployments and is required for
+                  certain compliance frameworks.
+
+                  Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+                  as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+                  IngressController CRs respectively.
+
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+                  and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+                  When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+                enum:
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
+                type: string
               tlsSecurityProfile:
                 description: |-
                   tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.

diff --git a/...enerated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml b/...enerated.crd-manifests/0000_10_config-operator_01_apiservers-DevPreviewNoUpgrade.crd.yaml
@@ -292,6 +292,33 @@ spec:
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object
+              tlsAdherence:
+                description: |-
+                  tlsAdherence controls which components in the cluster adhere to the TLS security profile
+                  configured on this APIServer resource.
+
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+                  When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+                  API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+                  TLS profile. Other components continue to use their individual TLS configurations.
+
+                  When set to "StrictAllComponents", all components must honor the configured TLS profile.
+                  This mode is recommended for security-conscious deployments and is required for
+                  certain compliance frameworks.
+
+                  Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+                  as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+                  IngressController CRs respectively.
+
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+                  and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+                  When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+                enum:
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
+                type: string
               tlsSecurityProfile:
                 description: |-
                   tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.

diff --git a/...nerated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml b/...nerated.crd-manifests/0000_10_config-operator_01_apiservers-TechPreviewNoUpgrade.crd.yaml
@@ -224,6 +224,33 @@ spec:
                     type: array
                     x-kubernetes-list-type: atomic
                 type: object
+              tlsAdherence:
+                description: |-
+                  tlsAdherence controls which components in the cluster adhere to the TLS security profile
+                  configured on this APIServer resource.
+
+                  Valid values are "LegacyExternalAPIServerComponentsOnly" and "StrictAllComponents".
+
+                  When set to "LegacyExternalAPIServerComponentsOnly" (the default), only the externally exposed
+                  API server components (kube-apiserver, openshift-apiserver, oauth-apiserver) honor the configured
+                  TLS profile. Other components continue to use their individual TLS configurations.
+
+                  When set to "StrictAllComponents", all components must honor the configured TLS profile.
+                  This mode is recommended for security-conscious deployments and is required for
+                  certain compliance frameworks.
+
+                  Note: The Kubelet and IngressController components are excluded from tlsAdherence control
+                  as they have their own dedicated TLS configuration mechanisms via KubeletConfig and
+                  IngressController CRs respectively.
+
+                  Components that encounter an unknown value for tlsAdherence should treat it as "StrictAllComponents"
+                  and log a warning to ensure forward compatibility while defaulting to the more secure behavior.
+
+                  When omitted, the default value is "LegacyExternalAPIServerComponentsOnly".
+                enum:
+                - LegacyExternalAPIServerComponentsOnly
+                - StrictAllComponents
+                type: string
               tlsSecurityProfile:
                 description: |-
                   tlsSecurityProfile specifies settings for TLS connections for externally exposed servers.

diff --git a/config/v1/zz_generated.featuregated-crd-manifests.yaml b/config/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -8,6 +8,7 @@ apiservers.config.openshift.io:
   FeatureGates:
   - KMSEncryption
   - KMSEncryptionProvider
+  - TLSAdherence
   FilenameOperatorName: config-operator
   FilenameOperatorOrdering: "01"
   FilenameRunLevel: "0000_10"