diff --git a/pkg/api/controller.go b/pkg/api/controller.go
index f51621d8a5..2bfc12c40d 100644
--- a/pkg/api/controller.go
+++ b/pkg/api/controller.go
@@ -182,8 +182,25 @@ func (c *Controller) Run() error {
 			}
 
 			server.TLSConfig = &tls.Config{
-				ClientAuth:               clientAuth,
-				ClientCAs:                caCertPool,
+				ClientAuth: clientAuth,
+				ClientCAs:  caCertPool,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					// tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, // Go 1.8 only
+					// tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,   // Go 1.8 only
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+
+					// Best disabled, as they don't provide Forward Secrecy,
+					// but might be necessary for some clients
+					// tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+					// tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+				},
+				CurvePreferences: []tls.CurveID{
+					tls.CurveP256,
+					// tls.X25519, // Go 1.8 only
+				},
 				PreferServerCipherSuites: true,
 				MinVersion:               tls.VersionTLS12,
 			}