Support modern TLS security Profile

openshift-kube-apiserver/admission/customresourcevalidation/apiserver/validate_apiserver.go

@@ -184,6 +184,7 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
 		string(configv1.TLSProfileOldType),
 		string(configv1.TLSProfileIntermediateType),
 		string(configv1.TLSProfileCustomType),
+		string(configv1.TLSProfileModernType),
 	}
 
 	switch profile.Type {
@@ -200,7 +201,9 @@ func validateTLSSecurityProfileType(fieldPath *field.Path, profile *configv1.TLS
 			errs = append(errs, field.Required(fieldPath.Child("intermediate"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
 		}
 	case configv1.TLSProfileModernType:
-		errs = append(errs, field.NotSupported(fieldPath.Child("type"), profile.Type, availableTypes))
+		if profile.Modern == nil {
+			errs = append(errs, field.Required(fieldPath.Child("modern"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
+		}
 	case configv1.TLSProfileCustomType:
 		if profile.Custom == nil {
 			errs = append(errs, field.Required(fieldPath.Child("custom"), fmt.Sprintf(typeProfileMismatchFmt, profile.Type)))
@@ -247,10 +250,6 @@ func haveRequiredHTTP2CipherSuites(suites []string) bool {
 func validateMinTLSVersion(fieldPath *field.Path, version configv1.TLSProtocolVersion) field.ErrorList {
 	errs := field.ErrorList{}
 
-	if version == configv1.VersionTLS13 {
-		return append(errs, field.NotSupported(fieldPath, version, []string{string(configv1.VersionTLS10), string(configv1.VersionTLS11), string(configv1.VersionTLS12)}))
-	}
-
 	if _, err := libgocrypto.TLSVersion(string(version)); err != nil {
 		errs = append(errs, field.Invalid(fieldPath, version, err.Error()))
 	}