diff --git a/internal/concierge/impersonator/impersonator.go b/internal/concierge/impersonator/impersonator.go
index f02ed631..8083f2d5 100644
--- a/internal/concierge/impersonator/impersonator.go
+++ b/internal/concierge/impersonator/impersonator.go
@@ -472,7 +472,7 @@ func newImpersonationReverseProxyFunc(restConfig *rest.Config) (func(*genericapi
 		return nil, fmt.Errorf("could not get http/1.1 anonymous round tripper: %w", err)
 	}
 
-	http2RoundTripper, err := getTransportForProtocol(restConfig, "h2")
+	http2RoundTripper, err := getTransportForProtocol(restConfig, "h2") // TODO figure out why this leads to still supporting http1
 	if err != nil {
 		return nil, fmt.Errorf("could not get http/2.0 round tripper: %w", err)
 	}
@@ -812,15 +812,6 @@ func getTransportForProtocol(restConfig *rest.Config, protocol string) (http.Rou
 		return nil, fmt.Errorf("could not build transport: %w", err)
 	}
 
-	// For clients that support http2, transport.New calls http2.ConfigureTransports,
-	// which configures with both h2 and http/1.1,
-	// even when you explicitly only ask for h2.
-	// Override that change.
-	cfg, err := utilnet.TLSClientConfig(rt)
-	if err != nil {
-		return nil, fmt.Errorf("could not extract TLS config: %w", err)
-	}
-	cfg.NextProtos = []string{protocol}
 	if err := kubeclient.AssertSecureTransport(rt); err != nil {
 		return nil, err // make sure we only use a secure TLS config
 	}
diff --git a/internal/concierge/impersonator/impersonator_test.go b/internal/concierge/impersonator/impersonator_test.go
index 298015fd..5bbe9c16 100644
--- a/internal/concierge/impersonator/impersonator_test.go
+++ b/internal/concierge/impersonator/impersonator_test.go
@@ -5,8 +5,6 @@ package impersonator
 
 import (
 	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"fmt"
 	"math/rand"
 	"net"
@@ -703,28 +701,7 @@ func TestImpersonator(t *testing.T) {
 			testKubeAPIServerWasCalled := false
 			var testKubeAPIServerSawHeaders http.Header
 			testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				tlsConfigFunc := func(rootCAs *x509.CertPool) *tls.Config {
-					// Requests to get configmaps, flowcontrol requests, and healthz requests
-					// are not done by our http round trippers that specify only one protocol
-					// (either http1.1 or http2, not both).
-					// For all other requests from the impersonator, if it is not an upgrade
-					// request it should only be using http2.
-					// If it is an upgrade request it should only be using http1.1, but that
-					// is covered by the AssertTLS function.
-					secure := ptls.Secure(rootCAs)
-					switch r.URL.Path {
-					case "/api/v1/namespaces/kube-system/configmaps",
-						"/apis/flowcontrol.apiserver.k8s.io/v1beta2/prioritylevelconfigurations",
-						"/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas",
-						"/healthz":
-					default:
-						if !httpstream.IsUpgradeRequest(r) {
-							secure.NextProtos = []string{secure.NextProtos[0]}
-						}
-					}
-					return secure
-				}
-				tlsserver.AssertTLS(t, r, tlsConfigFunc)
+				tlsserver.AssertTLS(t, r, ptls.Secure)
 
 				switch r.URL.Path {
 				case "/api/v1/namespaces/kube-system/configmaps":
@@ -1803,28 +1780,7 @@ func TestImpersonatorHTTPHandler(t *testing.T) {
 			testKubeAPIServerWasCalled := false
 			testKubeAPIServerSawHeaders := http.Header{}
 			testKubeAPIServer := tlsserver.TLSTestServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				tlsConfigFunc := func(rootCAs *x509.CertPool) *tls.Config {
-					// Requests to get configmaps, flowcontrol requests, and healthz requests
-					// are not done by our http round trippers that specify only one protocol
-					// (either http1.1 or http2, not both).
-					// For all other requests from the impersonator, if it is not an upgrade
-					// request it should only be using http2.
-					// If it is an upgrade request it should only be using http1.1, but that
-					// is covered by the AssertTLS function.
-					secure := ptls.Secure(rootCAs)
-					switch r.URL.Path {
-					case "/api/v1/namespaces/kube-system/configmaps",
-						"/apis/flowcontrol.apiserver.k8s.io/v1beta2/prioritylevelconfigurations",
-						"/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas",
-						"/healthz":
-					default:
-						if !httpstream.IsUpgradeRequest(r) {
-							secure.NextProtos = []string{secure.NextProtos[0]}
-						}
-					}
-					return secure
-				}
-				tlsserver.AssertTLS(t, r, tlsConfigFunc)
+				tlsserver.AssertTLS(t, r, ptls.Secure)
 
 				testKubeAPIServerWasCalled = true
 				testKubeAPIServerSawHeaders = r.Header