Incoming traffic is only allowed via TLS encrypted connections, the TLS connection is terminated inside the cluster in an ingress controller. TLS versions accepted are 1.2 and 1.3, the certificates use Eliptic curve encryption (“ecdsa”) with a key size of 384 bits with and a lifetime of 90 days.