修复kubelet安全策略 (#192)

https://kubernetes.io/docs/admin/kubelet-authentication-authorization/
By default, requests to the kubelet’s HTTPS endpoint that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of system:anonymous and a group of system:unauthenticated.

To disable anonymous access and send 401 Unauthorized responses to unauthenticated requests:

start the kubelet with the --anonymous-auth=false flag
pull/883/head
spirit 2018-05-17 22:31:54 +08:00 committed by gjmzj
parent a03fe10ee2
commit 6b6de7881e
1 changed files with 1 additions and 0 deletions

View File

@ -22,6 +22,7 @@ ExecStart={{ bin_dir }}/kubelet \
--hairpin-mode hairpin-veth \
--allow-privileged=true \
--fail-swap-on=false \
--anonymous-auth=false \
--logtostderr=true \
--v=2
#kubelet cAdvisor 默认在所有接口监听 4194 端口的请求, 以下iptables限制内网访问