Currently there is no way to customize this other than a complicated process after the fact. It would be good to be able to specify this during initial cluster standup.
Similar to how you can specify it during deployment when using RKE (partial cluster.yml snippet):
This allows for example to deploy a "*.namespace.k8s-int.example.com" fully trusted wildcard cert into the cluster that pods can use, and then they can use dns based service references to refer to internal services using the internal cluster DNS -- while still having a fully validatable cert. (Without relying on "add to the CA list" type of actions.