diff --git a/docs/hardening.md b/docs/hardening.md index b3359b74b..5aa8fcfb0 100644 --- a/docs/hardening.md +++ b/docs/hardening.md @@ -85,6 +85,7 @@ kube_kubeadm_scheduler_extra_args: etcd_deployment_type: kubeadm ## kubelet +kubelet_authorization_mode_webhook: true kubelet_authentication_token_webhook: true kube_read_only_port: 0 kubelet_rotate_server_certificates: true diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml index ddbddba4b..f0e07018c 100644 --- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml +++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml @@ -37,55 +37,25 @@ - node_crb_manifest.changed - inventory_hostname == groups['kube_control_plane'][0] -- name: Kubernetes Apps | Add webhook ClusterRole that grants access to proxy, stats, log, spec, and metrics on a kubelet - template: - src: "node-webhook-cr.yml.j2" - dest: "{{ kube_config_dir }}/node-webhook-cr.yml" - mode: 0640 - register: node_webhook_cr_manifest - when: - - rbac_enabled - - kubelet_authorization_mode_webhook - - inventory_hostname == groups['kube_control_plane'][0] - tags: node-webhook - -- name: Apply webhook ClusterRole +- name: Kubernetes Apps | Remove old webhook ClusterRole kube: name: "system:node-webhook" kubectl: "{{ bin_dir }}/kubectl" resource: "clusterrole" - filename: "{{ kube_config_dir }}/node-webhook-cr.yml" - state: latest + state: absent when: - rbac_enabled - - kubelet_authorization_mode_webhook - - node_webhook_cr_manifest.changed - inventory_hostname == groups['kube_control_plane'][0] tags: node-webhook -- name: Kubernetes Apps | Add ClusterRoleBinding for system:nodes to webhook ClusterRole - template: - src: "node-webhook-crb.yml.j2" - dest: "{{ kube_config_dir }}/node-webhook-crb.yml" - mode: 0640 - register: node_webhook_crb_manifest - when: - - rbac_enabled - - kubelet_authorization_mode_webhook - - inventory_hostname == groups['kube_control_plane'][0] - tags: node-webhook - -- name: Grant system:nodes the webhook ClusterRole +- name: Kubernetes Apps | Remove old webhook ClusterRoleBinding kube: name: "system:node-webhook" kubectl: "{{ bin_dir }}/kubectl" resource: "clusterrolebinding" - filename: "{{ kube_config_dir }}/node-webhook-crb.yml" - state: latest + state: absent when: - rbac_enabled - - kubelet_authorization_mode_webhook - - node_webhook_crb_manifest.changed - inventory_hostname == groups['kube_control_plane'][0] tags: node-webhook diff --git a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 deleted file mode 100644 index bf9aaf73f..000000000 --- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-cr.yml.j2 +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node-webhook -rules: - - apiGroups: - - "" - resources: - - nodes/proxy - - nodes/stats - - nodes/log - - nodes/spec - - nodes/metrics - verbs: - - "*" diff --git a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2 deleted file mode 100644 index 68aed5cb5..000000000 --- a/roles/kubernetes-apps/cluster_roles/templates/node-webhook-crb.yml.j2 +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "true" - labels: - kubernetes.io/bootstrapping: rbac-defaults - name: system:node-webhook -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:node-webhook -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:nodes diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 6d91768bd..b02744dbc 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -480,7 +480,7 @@ rbac_enabled: "{{ 'RBAC' in authorization_modes }}" kubelet_authentication_token_webhook: true # When enabled, access to the kubelet API requires authorization by delegation to the API server -kubelet_authorization_mode_webhook: false +kubelet_authorization_mode_webhook: true # kubelet uses certificates for authenticating to the Kubernetes API # Automatically generate a new key and request a new certificate from the Kubernetes API as the current certificate approaches expiration