Browse Source
Update kubelet systemd service default allowed IP addresses for cluster hardening (#11061)
Signed-off-by: bmelbourne <barry.melbourne0@gmail.com>
pull/11074/head
Barry M
7 months ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with
4 additions and
3 deletions
-
docs/hardening.md
-
roles/kubernetes/node/defaults/main.yml
|
|
|
@ -107,7 +107,7 @@ kubelet_systemd_hardening: true |
|
|
|
# IP addresses, kubelet_secure_addresses allows you |
|
|
|
# to specify the IP from which the kubelet |
|
|
|
# will receive the packets. |
|
|
|
kubelet_secure_addresses: "192.168.10.110 192.168.10.111 192.168.10.112" |
|
|
|
kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} 192.168.10.110 192.168.10.111 192.168.10.112" |
|
|
|
|
|
|
|
# additional configurations |
|
|
|
kube_owner: root |
|
|
|
|
|
|
|
@ -24,10 +24,11 @@ kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service" |
|
|
|
kubelet_systemd_hardening: false |
|
|
|
|
|
|
|
# List of secure IPs for kubelet |
|
|
|
kubelet_secure_addresses: >- |
|
|
|
{%- for host in groups['kube_control_plane'] -%} |
|
|
|
kube_node_addresses: >- |
|
|
|
{%- for host in (groups['kube_control_plane'] + groups['kube_node'] + groups['etcd']) | unique -%} |
|
|
|
{{ hostvars[host]['ip'] | default(fallback_ips[host]) }}{{ ' ' if not loop.last else '' }} |
|
|
|
{%- endfor -%} |
|
|
|
kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} {{ kube_node_addresses }}" |
|
|
|
|
|
|
|
# Reserve this space for kube resources |
|
|
|
# Set to true to reserve resources for kube daemons |
|
|
|
|
