From 082507cff2cb3762b5b073f3c84610d547be26dd Mon Sep 17 00:00:00 2001
From: Shaleen Bathla <shaleenbathla@gmail.com>
Date: Mon, 18 Aug 2025 19:21:11 +0530
Subject: [PATCH] kubelet: conditionalize staticPodPath location (#12433)

Add variable to set kubelet staticPodPath location.
It can be set to empty so that we can choose to disable it for some nodes.
STIG recommendation is to disable it.

Signed-off-by: Shaleen Bathla <shaleenbathla@gmail.com>
Co-authored-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 docs/operations/hardening.md                                   | 2 ++
 roles/kubernetes/node/defaults/main.yml                        | 2 ++
 roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 | 2 +-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/operations/hardening.md b/docs/operations/hardening.md
index 3aba0dc37..a6c4984a3 100644
--- a/docs/operations/hardening.md
+++ b/docs/operations/hardening.md
@@ -96,6 +96,8 @@ kubelet_make_iptables_util_chains: true
 kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
 kubelet_seccomp_default: true
 kubelet_systemd_hardening: true
+# To disable kubelet's staticPodPath (for nodes that don't use static pods like worker nodes)
+kubelet_static_pod_path: ""
 # In case you have multiple interfaces in your
 # control plane nodes and you want to specify the right
 # IP addresses, kubelet_secure_addresses allows you
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 5af9c0bb4..59e643568 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -188,6 +188,8 @@ conntrack_modules:
   - nf_conntrack
   - nf_conntrack_ipv4
 
+# Set this option to "" (empty) to disable staticPodPath (See docs/operations/hardening.md)
+kubelet_static_pod_path: "{{ kube_manifest_dir }}"
 
 ## Enable distributed tracing for kubelet
 kubelet_tracing: false
diff --git a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
index 6035611c8..8ad76b552 100644
--- a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
@@ -22,7 +22,7 @@ enforceNodeAllocatable:
 - {{ item }}
 {% endfor %}
 {% endif %}
-staticPodPath: {{ kube_manifest_dir }}
+staticPodPath: "{{ kubelet_static_pod_path }}"
 cgroupDriver: {{ kubelet_cgroup_driver | default('systemd') }}
 containerLogMaxFiles: {{ kubelet_logfiles_max_nr }}
 containerLogMaxSize: {{ kubelet_logfiles_max_size }}