diff --git a/pkg/controller/cluster/main-controller.go b/pkg/controller/cluster/main-controller.go
index a81fc0376cb..a6d569732f4 100644
--- a/pkg/controller/cluster/main-controller.go
+++ b/pkg/controller/cluster/main-controller.go
@@ -361,6 +361,18 @@ func (c *Controller) Start(threadiness int, stopCh <-chan struct{}) error {
 				}
 				serverCertsManager = certsManager
 				c.ws.TLSConfig = &tls.Config{
+					PreferServerCipherSuites: true,
+					CurvePreferences:         []tls.CurveID{tls.CurveP256},
+					NextProtos:               []string{"h2", "http/1.1"},
+					MinVersion:               tls.VersionTLS12,
+					CipherSuites: []uint16{
+						tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+						tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+						tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+						tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+						tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+						tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+					},
 					GetCertificate: certsManager.GetCertificate,
 				}
 				if err := c.ws.ListenAndServeTLS("", ""); err != http.ErrServerClosed {