Match EKS Optimized AMIs' TLS ciphers

[arnaldo2792]

Issue number:

Related to https://github.com/bottlerocket-os/bottlerocket/issues/1667

Description of changes:

Match the TLS ciphers that the EKS Optimized AMIs use. This also helps with a problem observed in VMware variants, where the kubelet HTTPS server refused TLS connections in FIPS mode.

Testing done:

• [x] AWS k8s 1.24, kubectl exec and kubectl logs work
• [x] AWS k8s 1.25, kubectl exec and kubectl logs work
• [x] AWS k8s 1.26, kubectl exec and kubectl logs work
• [x] AWS k8s 1.27, kubectl exec and kubectl logs work
• [x] AWS k8s 1.28, kubectl exec and kubectl logs work
• [x] AWS k8s 1.29, kubectl exec and kubectl logs work
• [x] AWS k8s 1.30, kubectl exec and kubectl logs work
• [x] AWS k8s 1.31, kubectl exec and kubectl logs work
• [x] VMware k8s 1.28, kubectl exec and kubectl logs work
• [x] VMware k8s 1.29, kubectl exec and kubectl logs work
• [x] VMware k8s 1.30, kubectl exec and kubectl logs work
• [x] VMware k8s 1.31, kubectl exec and kubectl logs work

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[bcressey]

Any "joins cluster" tests aren't going to tell us much here; the question is whether kubectl logs and kubectl exec still work, since those connect to the kubelet server.