Update kubelet systemd service default allowed IP addresses for cluster hardening (#11061)

Signed-off-by: bmelbourne <barry.melbourne0@gmail.com>
pull/11074/head
Barry M 2024-04-11 08:58:27 +01:00 committed by GitHub
parent 8a423abd0f
commit 1b870a1862
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 4 additions and 3 deletions

View File

@ -107,7 +107,7 @@ kubelet_systemd_hardening: true
# IP addresses, kubelet_secure_addresses allows you # IP addresses, kubelet_secure_addresses allows you
# to specify the IP from which the kubelet # to specify the IP from which the kubelet
# will receive the packets. # will receive the packets.
kubelet_secure_addresses: "192.168.10.110 192.168.10.111 192.168.10.112" kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} 192.168.10.110 192.168.10.111 192.168.10.112"
# additional configurations # additional configurations
kube_owner: root kube_owner: root

View File

@ -24,10 +24,11 @@ kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
kubelet_systemd_hardening: false kubelet_systemd_hardening: false
# List of secure IPs for kubelet # List of secure IPs for kubelet
kubelet_secure_addresses: >- kube_node_addresses: >-
{%- for host in groups['kube_control_plane'] -%} {%- for host in (groups['kube_control_plane'] + groups['kube_node'] + groups['etcd']) | unique -%}
{{ hostvars[host]['ip'] | default(fallback_ips[host]) }}{{ ' ' if not loop.last else '' }} {{ hostvars[host]['ip'] | default(fallback_ips[host]) }}{{ ' ' if not loop.last else '' }}
{%- endfor -%} {%- endfor -%}
kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} {{ kube_node_addresses }}"
# Reserve this space for kube resources # Reserve this space for kube resources
# Set to true to reserve resources for kube daemons # Set to true to reserve resources for kube daemons