Improve TLS 1.2 constraint comment for cipher suite testing

Update the comment explaining why cipher suite tests are constrained to
TLS 1.2 to be more technically accurate. The previous comment suggested
this was about "Go 1.23+ behavior", but the real issue is fundamental to
how TLS 1.3 works:

- The intermediate profile allows both TLS 1.2 and TLS 1.3
- Clients negotiate TLS 1.3 when MaxVersion is unspecified and server supports it
- TLS 1.3 spec predefines cipher suites and doesn't support configuration
- Therefore, specifying any cipher suite has no effect with TLS 1.3
- Forcing TLS 1.2 allows actual testing of cipher suite restrictions

This makes the reasoning clearer for future maintainers.

Author: wangke19

test/extended/apiserver/tls.go

@@ -165,8 +165,11 @@ var _ = g.Describe("[sig-api-machinery][Feature:APIServer]", func() {
 					return err
 				}
 				expectFailure := !defaultCiphers[cipher]
-				// Constrain to TLS 1.2 to prevent Go 1.23+ from silently ignoring
-				// deprecated ciphers and falling back to TLS 1.3 with secure defaults
+				// Constrain to TLS 1.2 because the intermediate profile allows both TLS 1.2 and TLS 1.3.
+				// If MaxVersion is unspecified, the client negotiates TLS 1.3 when the server supports it.
+				// TLS 1.3 does not support configuring cipher suites (predetermined by the spec), so
+				// specifying any cipher suite (RC4 or otherwise) has no effect with TLS 1.3.
+				// By forcing TLS 1.2, we can actually test the cipher suite restrictions.
 				cfg := &tls.Config{
 					CipherSuites:       []uint16{cipher},
 					MinVersion:         tls.VersionTLS12,