Merge pull request #48859 from victorgp/master

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Support for custom tls cipher suites in api server and kubelet

**What this PR does / why we need it**:
This pull request aims to solve the problem of users not able to set custom cipher suites in the api server.
Several users have requested this given that some default ciphers are vulnerable.
There is a discussion in #41038 of how to implement this. The options are:
- Setting a fixed list of ciphers, but users will have different requirements so a fixed list would be problematic.
- Letting the user set them by parameter, this requires adding a new parameter that could be pretty long with the list of all the ciphers.

I implemented the second option, if the ciphers are not passed by parameter, the Go default ones will be used (same behavior as now).

**Which issue this PR fixes**
fixes #41038

**Special notes for your reviewer**:
The ciphers in Go tls config are constants and the ones passed by parameters are a comma-separated list. I needed to create the `type CipherSuitesFlag` to support that conversion/mapping, because i couldn't find any way to do this type of reflection in Go.
If you think there is another way to implement this, let me know.

If you want to test it out, this is a ciphers combination i tested without the weak ones:

```
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
```

If this is merged i will implement the same for the Kubelet.

**Release note**:
```release-note
kube-apiserver and kubelet now support customizing TLS ciphers via a `--tls-cipher-suites` flag
```

Kubernetes-commit: b7100f1ee7231617891a100dd34b3490a1f578e4

Godeps/Godeps.json

@@ -1200,579 +1200,579 @@
 		},
 		{
 			"ImportPath": "k8s.io/client-go/discovery",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/discovery/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/admissionregistration",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/admissionregistration/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/admissionregistration/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/apps",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/apps/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/apps/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/apps/v1beta2",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/autoscaling",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/autoscaling/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/autoscaling/v2beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/batch",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/batch/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/batch/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/batch/v2alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/certificates",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/certificates/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/core",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/core/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/events",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/events/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/extensions",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/extensions/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/internalinterfaces",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/networking",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/networking/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/policy",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/policy/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/rbac",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/rbac/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/rbac/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/rbac/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/scheduling",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/scheduling/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/settings",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/settings/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/storage",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/storage/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/storage/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/informers/storage/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/scheme",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/admissionregistration/v1alpha1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/admissionregistration/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/apps/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/apps/v1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/apps/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/apps/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/apps/v1beta2",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/apps/v1beta2/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/authentication/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/authentication/v1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/authentication/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/authentication/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/authorization/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/authorization/v1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/authorization/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/authorization/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/autoscaling/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/autoscaling/v1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/autoscaling/v2beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/batch/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/batch/v1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/batch/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/batch/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/batch/v2alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/batch/v2alpha1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/certificates/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/certificates/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/core/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/core/v1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/events/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/events/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/extensions/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/extensions/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/networking/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/networking/v1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/policy/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/policy/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/rbac/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/rbac/v1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/rbac/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/rbac/v1alpha1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/rbac/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/rbac/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/scheduling/v1alpha1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/settings/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/settings/v1alpha1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/storage/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/storage/v1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/storage/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/storage/v1alpha1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/storage/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/kubernetes/typed/storage/v1beta1/fake",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/admissionregistration/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/admissionregistration/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/apps/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/apps/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/apps/v1beta2",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/autoscaling/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/autoscaling/v2beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/batch/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/batch/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/batch/v2alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/certificates/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/core/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/events/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/extensions/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/networking/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/policy/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/rbac/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/rbac/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/rbac/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/scheduling/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/settings/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/storage/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/storage/v1alpha1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/listers/storage/v1beta1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/pkg/version",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/rest",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/rest/watch",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/testing",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/tools/auth",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/tools/cache",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/tools/clientcmd",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/tools/clientcmd/api",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/tools/clientcmd/api/latest",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/tools/clientcmd/api/v1",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/tools/metrics",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/tools/pager",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/tools/reference",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/transport",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/util/buffer",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/util/cert",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/util/flowcontrol",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/util/homedir",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/client-go/util/integer",
-			"Rev": "ce9bf2bd6c56abe0d5a993b6ac21accead8de379"
+			"Rev": "da710ccb08aa4a9885c7b01556e5b8c122681bb8"
 		},
 		{
 			"ImportPath": "k8s.io/kube-openapi/pkg/builder",

pkg/server/options/serving.go

@@ -51,6 +51,9 @@ type SecureServingOptions struct {
 	ServerCert GeneratableKeyCert
 	// SNICertKeys are named CertKeys for serving secure traffic with SNI support.
 	SNICertKeys []utilflag.NamedCertKey
+	// CipherSuites is the list of allowed cipher suites for the server.
+	// Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants).
+	CipherSuites []string
 }
 
 type CertKey struct {
@@ -134,6 +137,11 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 		"Controllers. This must be a valid PEM-encoded CA bundle. Altneratively, the certificate authority "+
 		"can be appended to the certificate provided by --tls-cert-file.")
 
+	fs.StringSliceVar(&s.CipherSuites, "tls-cipher-suites", s.CipherSuites,
+		"Comma-separated list of cipher suites for the server. "+
+			"Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). "+
+			"If omitted, the default Go cipher suites will be used")
+
 	fs.Var(utilflag.NewNamedCertKeyArray(&s.SNICertKeys), "tls-sni-cert-key", ""+
 		"A pair of x509 certificate and private key file paths, optionally suffixed with a list of "+
 		"domain patterns which are fully qualified domain names, possibly with prefixed wildcard "+
@@ -233,6 +241,14 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 		}
 	}
 
+	if len(s.CipherSuites) != 0 {
+		cipherSuites, err := utilflag.TLSCipherSuites(s.CipherSuites)
+		if err != nil {
+			return err
+		}
+		secureServingInfo.CipherSuites = cipherSuites
+	}
+
 	// load SNI certs
 	namedTLSCerts := make([]server.NamedTLSCert, 0, len(s.SNICertKeys))
 	for _, nck := range s.SNICertKeys {

pkg/util/flag/BUILD

@@ -9,6 +9,7 @@ load(
 go_test(
     name = "go_default_test",
     srcs = [
+        "ciphersuites_flag_test.go",
         "colon_separated_multimap_string_string_test.go",
         "langle_separated_map_string_string_test.go",
         "map_string_bool_test.go",
@@ -23,6 +24,7 @@ go_test(
 go_library(
     name = "go_default_library",
     srcs = [
+        "ciphersuites_flag.go",
         "colon_separated_multimap_string_string.go",
         "configuration_map.go",
         "flags.go",

pkg/util/flag/ciphersuites_flag.go

@@ -0,0 +1,64 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flag
+
+import (
+	"crypto/tls"
+	"fmt"
+)
+
+// ciphers maps strings into tls package cipher constants in
+// https://golang.org/pkg/crypto/tls/#pkg-constants
+var ciphers = map[string]uint16{
+	"TLS_RSA_WITH_RC4_128_SHA":                tls.TLS_RSA_WITH_RC4_128_SHA,
+	"TLS_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	"TLS_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+	"TLS_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+	"TLS_RSA_WITH_AES_128_CBC_SHA256":         tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
+	"TLS_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+	"TLS_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+	"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA":        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_RC4_128_SHA":          tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":     tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+}
+
+func TLSCipherSuites(cipherNames []string) ([]uint16, error) {
+	if len(cipherNames) == 0 {
+		return nil, nil
+	}
+	ciphersIntSlice := make([]uint16, 0)
+	for _, cipher := range cipherNames {
+		intValue, ok := ciphers[cipher]
+		if !ok {
+			return nil, fmt.Errorf("Cipher suite %s not supported or doesn't exist", cipher)
+		}
+		ciphersIntSlice = append(ciphersIntSlice, intValue)
+	}
+	return ciphersIntSlice, nil
+}

pkg/util/flag/ciphersuites_flag_test.go

@@ -0,0 +1,100 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package flag
+
+import (
+	"crypto/tls"
+	"fmt"
+	"go/importer"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func TestStrToUInt16(t *testing.T) {
+	tests := []struct {
+		flag           []string
+		expected       []uint16
+		expected_error bool
+	}{
+		{
+			// Happy case
+			flag:           []string{"TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"},
+			expected:       []uint16{tls.TLS_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
+			expected_error: false,
+		},
+		{
+			// One flag only
+			flag:           []string{"TLS_RSA_WITH_RC4_128_SHA"},
+			expected:       []uint16{tls.TLS_RSA_WITH_RC4_128_SHA},
+			expected_error: false,
+		},
+		{
+			// Empty flag
+			flag:           []string{},
+			expected:       nil,
+			expected_error: false,
+		},
+		{
+			// Duplicated flag
+			flag:           []string{"TLS_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_RC4_128_SHA"},
+			expected:       []uint16{tls.TLS_RSA_WITH_RC4_128_SHA, tls.TLS_RSA_WITH_AES_128_CBC_SHA, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, tls.TLS_RSA_WITH_RC4_128_SHA},
+			expected_error: false,
+		},
+		{
+			// Invalid flag
+			flag:           []string{"foo"},
+			expected:       nil,
+			expected_error: true,
+		},
+	}
+
+	for i, test := range tests {
+		uIntFlags, err := TLSCipherSuites(test.flag)
+		if reflect.DeepEqual(uIntFlags, test.expected) == false {
+			t.Errorf("%d: expected %+v, got %+v", i, test.expected, uIntFlags)
+		}
+		if test.expected_error && err == nil {
+			t.Errorf("%d: expecting error, got %+v", i, err)
+		}
+	}
+}
+
+func TestConstantMaps(t *testing.T) {
+	pkg, err := importer.Default().Import("crypto/tls")
+	if err != nil {
+		fmt.Printf("error: %s\n", err.Error())
+		return
+	}
+	discoveredCiphers := map[string]bool{}
+	for _, declName := range pkg.Scope().Names() {
+		if strings.HasPrefix(declName, "TLS_RSA_") || strings.HasPrefix(declName, "TLS_ECDHE_") {
+			discoveredCiphers[declName] = true
+		}
+	}
+
+	for k := range discoveredCiphers {
+		if _, ok := ciphers[k]; !ok {
+			t.Errorf("discovered cipher tls.%s not in ciphers map", k)
+		}
+	}
+	for k := range ciphers {
+		if _, ok := discoveredCiphers[k]; !ok {
+			t.Errorf("ciphers map has %s not in tls package", k)
+		}
+	}
+}