Browse Source
Add protectKernelDefaults option (default true) to kubelet config file (#6611)
pull/6623/head
Florian Ruynat
4 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with
19 additions and
0 deletions
-
roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
-
roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
-
roles/kubespray-defaults/defaults/main.yaml
|
|
|
@ -31,6 +31,9 @@ healthzPort: {{ kubelet_healthz_port }} |
|
|
|
healthzBindAddress: {{ kubelet_healthz_bind_address }} |
|
|
|
kubeletCgroups: {{ kubelet_kubelet_cgroups }} |
|
|
|
clusterDomain: {{ dns_domain }} |
|
|
|
{% if kubelet_protect_kernel_defaults|bool %} |
|
|
|
protectKernelDefaults: true |
|
|
|
{% endif %} |
|
|
|
{% if kubelet_rotate_certificates|bool %} |
|
|
|
rotateCertificates: true |
|
|
|
{% endif %} |
|
|
|
|
|
|
|
@ -61,3 +61,16 @@ |
|
|
|
value: 1 |
|
|
|
state: present |
|
|
|
reload: yes |
|
|
|
|
|
|
|
- name: Ensure kube-bench parameters are set |
|
|
|
sysctl: |
|
|
|
sysctl_file: /etc/sysctl.d/bridge-nf-call.conf |
|
|
|
name: "{{ item.name }}" |
|
|
|
value: "{{ item.value }}" |
|
|
|
state: present |
|
|
|
reload: yes |
|
|
|
with_items: |
|
|
|
- { name: vm.overcommit_memory, value: 1 } |
|
|
|
- { name: kernel.panic, value: 10 } |
|
|
|
- { name: kernel.panic_on_oops, value: 1 } |
|
|
|
when: kubelet_protect_kernel_defaults|bool |
|
|
|
@ -397,6 +397,9 @@ kubelet_rotate_certificates: true |
|
|
|
# kubelet can also request a new server certificate from the Kubernetes API |
|
|
|
kubelet_rotate_server_certificates: false |
|
|
|
|
|
|
|
# If set to true, kubelet errors if any of kernel tunables is different than kubelet defaults |
|
|
|
kubelet_protect_kernel_defaults: true |
|
|
|
|
|
|
|
## List of key=value pairs that describe feature gates for |
|
|
|
## the k8s cluster. |
|
|
|
kube_feature_gates: [] |
|
|
|
|
