kubernetes nginx ingress controller weak ciphers

Using the default cipher values in Kubernetes Nginx ingress controller shows that 2 ciphers are weak:
enter image description here

What are the values i need to set in order to replace the weak ciphers ?

Let's look at this from a bigger picture.

All TLS_RSA ciphersuites have been marked as WEAK because they don't provide forward secrecy: if the private key gets compromised in the future, all recorded traffic can be decrypted using it.

The only major browser that ever implemented those two ciphersuites you listed is Safari, and Safari has supported GCM cipher suites since 2015.
In general, any cipher suite that doesn't say CHACHA20, GCM, or CCM is now marked as either weak or insecure.

You could replace them like below:

• ECDHE-RSA-AES256-SHA384 to TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• ECDHE-RSA-AES128-SHA256 to TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

but according to this source:

> SSL Labs identifies cipher suites using CBC with orange color and with
> text WEAK. This change won’t have any effect on the grades, as it only
> means that SSL Labs discourages the use of CBC-based cipher suites
> further.

All ciphersuites utilizing Cipher Block Chaining CBC aren't automatically WEAK, but there have been so many implementations vulnerable to padding oracle attacks that they have decided to mark them all as WEAK.

Another option would be to completely remove those two values and use DHE ciphersuites as long as they have key length of at least 2048 bits and use GCM mode: DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256.

You can also consider removing them completely but you actually don't have to because your implementation was not marked as vulnerable. Only implementations that are vulnerable to the new Zombie Poodle and Goldendoddle vulnerabilities will be graded F.

I hope it helps.