修复kubelet匿名访问漏洞

2018-05-19 16:00:31 +08:00 · 2018-05-19 16:00:31 +08:00 · 38592869e3
parent 98abd4d1a7
commit 38592869e3
2 changed files with 4 additions and 0 deletions
--- a/roles/kube-master/templates/kube-apiserver.service.j2
+++ b/roles/kube-master/templates/kube-apiserver.service.j2
@ -10,6 +10,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --insecure-bind-address=127.0.0.1 \
  --authorization-mode=Node,RBAC \
  --kubelet-https=true \
+  --kubelet-client-certificate={{ ca_dir }}/kubernetes.pem \
+  --kubelet-client-key={{ ca_dir }}/kubernetes-key.pem \
  --anonymous-auth=false \
  --basic-auth-file={{ ca_dir }}/basic-auth.csv \
  --enable-bootstrap-token-auth \
--- a/roles/kube-node/templates/kubelet.service.j2
+++ b/roles/kube-node/templates/kubelet.service.j2
@ -14,6 +14,7 @@ ExecStart={{ bin_dir }}/kubelet \
  --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \
  --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
  --cert-dir={{ ca_dir }} \
+  --client-ca-file={{ ca_dir }}/ca.pem \
  --network-plugin=cni \
  --cni-conf-dir=/etc/cni/net.d \
  --cni-bin-dir={{ bin_dir }} \
@ -21,6 +22,7 @@ ExecStart={{ bin_dir }}/kubelet \
  --cluster-domain={{ CLUSTER_DNS_DOMAIN }} \
  --hairpin-mode hairpin-veth \
  --allow-privileged=true \
+  --anonymous-auth=false \
  --fail-swap-on=false \
  --logtostderr=true \
  --v=2