修复kubelet匿名访问漏洞

2018-05-17 22:51:15 +08:00 · 2018-05-17 22:51:15 +08:00 · 83bdcfd41a
parent 6b6de7881e
commit 83bdcfd41a
3 changed files with 5 additions and 2 deletions
--- a/roles/kube-master/templates/kube-apiserver.service.j2
+++ b/roles/kube-master/templates/kube-apiserver.service.j2
@ -10,6 +10,8 @@ ExecStart={{ bin_dir }}/kube-apiserver \
  --insecure-bind-address=127.0.0.1 \
  --authorization-mode=Node,RBAC \
  --kubelet-https=true \
+  --kubelet-client-certificate={{ ca_dir }}/kubernetes.pem \
+  --kubelet-client-key={{ ca_dir }}/kubernetes-key.pem \
  --anonymous-auth=false \
  --basic-auth-file={{ ca_dir }}/basic-auth.csv \
  --enable-bootstrap-token-auth \
--- a/roles/kube-node/templates/kubelet.service.j2
+++ b/roles/kube-node/templates/kubelet.service.j2
@ -14,6 +14,7 @@ ExecStart={{ bin_dir }}/kubelet \
  --experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig \
  --kubeconfig=/etc/kubernetes/kubelet.kubeconfig \
  --cert-dir={{ ca_dir }} \
+  --client-ca-file={{ ca_dir }}/ca.pem \
  --network-plugin=cni \
  --cni-conf-dir=/etc/cni/net.d \
  --cni-bin-dir={{ bin_dir }} \
--- a/roles/os-harden/defaults/main.yml
+++ b/roles/os-harden/defaults/main.yml
@ -1,6 +1,6 @@
 os_desktop_enable: false
 os_env_extra_user_paths: []
-os_auth_pw_max_age: 60
+os_auth_pw_max_age: 99999 # 密码过期天数 
 os_auth_pw_min_age: 7 # discourage password cycling
 os_auth_retries: 5
 os_auth_lockout_time: 600 # 10min
@ -35,7 +35,7 @@ os_security_init_prompt: true
 os_security_init_single: false

 # Apply ufw defaults
-ufw_manage_defaults: true
+ufw_manage_defaults: false 

 # Empty variable disables IPT_SYSCTL in /etc/default/ufw
 # by default in Ubuntu it set to: /etc/ufw/sysctl.conf