github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kubeadm: Improve the kubelet default configuration security-wise

Browse Source
This commit is contained in:
Lucas Käldström
2018-05-23 23:51:49 +03:00
parent 65a819338a
commit efc408944c
6 changed files with 14 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go
View File

@@ -79,6 +79,7 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
Enabled: utilpointer.BoolPtr(false),
},
},
RotateCertificates: true,
},
}
kubeletconfigv1beta1.SetDefaults_KubeletConfiguration(obj.KubeletConfiguration.BaseConfig)

9
cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go
View File

@@ -247,12 +247,13 @@ func SetDefaults_KubeletConfiguration(obj *MasterConfiguration) {
obj.KubeletConfiguration.BaseConfig.Authorization.Mode = kubeletconfigv1beta1.KubeletAuthorizationModeWebhook
// Let clients using other authentication methods like ServiceAccount tokens also access the kubelet API
// TODO: Enable in a future PR
// obj.KubeletConfiguration.BaseConfig.Authentication.Webhook.Enabled = utilpointer.BoolPtr(true)
obj.KubeletConfiguration.BaseConfig.Authentication.Webhook.Enabled = utilpointer.BoolPtr(true)
// Disable the readonly port of the kubelet, in order to not expose unnecessary information
// TODO: Enable in a future PR
// obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0
obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0
// Enables client certificate rotation for the kubelet
obj.KubeletConfiguration.BaseConfig.RotateCertificates = true
// Serve a /healthz webserver on localhost:10248 that kubeadm can talk to
obj.KubeletConfiguration.BaseConfig.HealthzBindAddress = "127.0.0.1"

9
cmd/kubeadm/app/apis/kubeadm/v1alpha2/defaults.go
View File

@@ -210,12 +210,13 @@ func SetDefaults_KubeletConfiguration(obj *MasterConfiguration) {
obj.KubeletConfiguration.BaseConfig.Authorization.Mode = kubeletconfigv1beta1.KubeletAuthorizationModeWebhook
// Let clients using other authentication methods like ServiceAccount tokens also access the kubelet API
// TODO: Enable in a future PR
// obj.KubeletConfiguration.BaseConfig.Authentication.Webhook.Enabled = utilpointer.BoolPtr(true)
obj.KubeletConfiguration.BaseConfig.Authentication.Webhook.Enabled = utilpointer.BoolPtr(true)
// Disable the readonly port of the kubelet, in order to not expose unnecessary information
// TODO: Enable in a future PR
// obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0
obj.KubeletConfiguration.BaseConfig.ReadOnlyPort = 0
// Enables client certificate rotation for the kubelet
obj.KubeletConfiguration.BaseConfig.RotateCertificates = true
// Serve a /healthz webserver on localhost:10248 that kubeadm can talk to
obj.KubeletConfiguration.BaseConfig.HealthzBindAddress = "127.0.0.1"

1
cmd/kubeadm/app/util/config/testdata/conversion/master/internal.yaml vendored
View File

@@ -130,6 +130,7 @@ KubeletConfiguration:
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
staticPodPath: /etc/kubernetes/manifests

1
cmd/kubeadm/app/util/config/testdata/conversion/master/v1alpha2.yaml vendored
View File

@@ -123,6 +123,7 @@ kubeletConfiguration:
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
staticPodPath: /etc/kubernetes/manifests

1
cmd/kubeadm/app/util/config/testdata/defaulting/master/defaulted.yaml vendored
View File

@@ -118,6 +118,7 @@ kubeletConfiguration:
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
staticPodPath: /etc/kubernetes/manifests