Browse Source

disable kubelet_authorization_mode_webhook by default (#9239)

pull/9253/head v2.19.1
Cristian Calin 2 years ago
committed by GitHub
parent
commit
453dbcef1d
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 1 additions and 2 deletions
  1. 1
      docs/hardening.md
  2. 2
      roles/kubespray-defaults/defaults/main.yaml

1
docs/hardening.md

@ -74,7 +74,6 @@ kube_kubeadm_scheduler_extra_args:
etcd_deployment_type: kubeadm
## kubelet
kubelet_authorization_mode_webhook: true
kubelet_authentication_token_webhook: true
kube_read_only_port: 0
kubelet_rotate_server_certificates: true

2
roles/kubespray-defaults/defaults/main.yaml

@ -484,7 +484,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}"
kubelet_authentication_token_webhook: true
# When enabled, access to the kubelet API requires authorization by delegation to the API server
kubelet_authorization_mode_webhook: true
kubelet_authorization_mode_webhook: false
# kubelet uses certificates for authenticating to the Kubernetes API
# Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration

Loading…
Cancel
Save