From 83bdcfd41a847b8c5917c20545be202f11374ea9 Mon Sep 17 00:00:00 2001
From: gjmzj <gaojianming.zj@139.com>
Date: Thu, 17 May 2018 22:51:15 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8Dkubelet=E5=8C=BF=E5=90=8D?=
 =?UTF-8?q?=E8=AE=BF=E9=97=AE=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/kube-master/templates/kube-apiserver.service.j2 | 2 ++
 roles/kube-node/templates/kubelet.service.j2          | 1 +
 roles/os-harden/defaults/main.yml                     | 4 ++--
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/roles/kube-master/templates/kube-apiserver.service.j2 b/roles/kube-master/templates/kube-apiserver.service.j2
index fc2cd79..fd96d83 100644
--- a/roles/kube-master/templates/kube-apiserver.service.j2
+++ b/roles/kube-master/templates/kube-apiserver.service.j2
@@ -10,6 +10,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \
   --insecure-bind-address=127.0.0.1 \
   --authorization-mode=Node,RBAC \
   --kubelet-https=true \
+  --kubelet-client-certificate={{ ca_dir }}/kubernetes.pem \
+  --kubelet-client-key={{ ca_dir }}/kubernetes-key.pem \
   --anonymous-auth=false \
   --basic-auth-file={{ ca_dir }}/basic-auth.csv \
   --enable-bootstrap-token-auth \
diff --git a/roles/kube-node/templates/kubelet.service.j2 b/roles/kube-node/templates/kubelet.service.j2
index c969960..5311e87 100644
--- a/roles/kube-node/templates/kubelet.service.j2
+++ b/roles/kube-node/templates/kubelet.service.j2
@@ -14,6 +14,7 @@ ExecStart={{ bin_dir }}/kubelet \
   --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \
   --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
   --cert-dir={{ ca_dir }} \
+  --client-ca-file={{ ca_dir }}/ca.pem \
   --network-plugin=cni \
   --cni-conf-dir=/etc/cni/net.d \
   --cni-bin-dir={{ bin_dir }} \
diff --git a/roles/os-harden/defaults/main.yml b/roles/os-harden/defaults/main.yml
index 307a48e..3a0ef06 100644
--- a/roles/os-harden/defaults/main.yml
+++ b/roles/os-harden/defaults/main.yml
@@ -1,6 +1,6 @@
 os_desktop_enable: false
 os_env_extra_user_paths: []
-os_auth_pw_max_age: 60
+os_auth_pw_max_age: 99999 # 密码过期天数 
 os_auth_pw_min_age: 7 # discourage password cycling
 os_auth_retries: 5
 os_auth_lockout_time: 600 # 10min
@@ -35,7 +35,7 @@ os_security_init_prompt: true
 os_security_init_single: false
 
 # Apply ufw defaults
-ufw_manage_defaults: true
+ufw_manage_defaults: false 
 
 # Empty variable disables IPT_SYSCTL in /etc/default/ufw
 # by default in Ubuntu it set to: /etc/ufw/sysctl.conf